[MM / N] [LB] Dirtycow Temp Root Shell and Debloat Script (Freeze Unwanted Apps)

[serajr]

Already achieved it on my F8131, but it is limited root shell only, and cannot perform backup of TA partition (yet).
But I can at least debloat (freeze) system and/or crappy apps (any package). Here is my dirtycow debloat output:

F8131, locked BL, 35.0.A.1.297 fw.

Microsoft Windows [versão 10.0.14393]
(c) 2016 Microsoft Corporation. Todos os direitos reservados.

C:\Users\Sera>adb shell
[email protected]:/ $ [B][COLOR="red"]id[/COLOR][/B]
[B][COLOR="Red"]uid=2000(shell) gid=2000(shell) groups=2000(shell)[/COLOR][/B],1004(input),1007(log),1011(adb),1015(sdcard_rw),1026(drmrpc),1028(sdcard_r),2993(trimarea),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
[email protected]:/ $ run-as con
[email protected]:/ # [COLOR="red"][B]id[/B][/COLOR]
[B][COLOR="red"]uid=0(root) gid=0(root) groups=0(root)[/COLOR][/B],1004(input),1007(log),1011(adb),1015(sdcard_rw),1026(drmrpc),1028(sdcard_r),2993(trimarea),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
[email protected]:/ # /data/local/tmp/debloat.sh

Freezing quite a few packages, standby a minute or two...

/system/app/

Package com.sonymobile.anondata new state: disabled
Package com.android.dreams.basic new state: disabled
Package com.s.antivirus new state: disabled
Package com.sonymobile.xperialounge.services new state: disabled
Package com.swiftkey.swiftkeyconfigurator new state: disabled
Package com.sonymobile.deviceconfigtool new state: disabled
Package com.sonymobile.dualshockmanager new state: disabled
Package com.google.android.apps.docs.editors.docs new state: disabled
Package com.google.android.apps.docs.editors.sheets new state: disabled
Package com.google.android.apps.docs.editors.slides new state: disabled
Package com.sonymobile.exchange new state: disabled
Package com.sonymobile.android.externalkeyboardjp new state: disabled
Package com.facebook.katana new state: disabled
Package com.android.facelock new state: disabled
Package com.noknok.android.mfac.service new state: disabled
Package com.qualcomm.qti.auth.fidocryptoservice new state: disabled
Package com.qualcomm.qti.auth.fidosuiservice new state: disabled
Package com.android.galaxy4 new state: disabled
Package com.sonymobile.getmore.client new state: disabled
Package com.sonymobile.music.googlelyricsplugin new state: disabled
Package com.android.wallpaper.holospiral new state: disabled
Package com.android.htmlviewer new state: disabled
Package com.sonymobile.intelligent.backlight new state: disabled
Package com.sonymobile.intelligent.observer new state: disabled
Package com.sonymobile.sso new state: disabled
Package com.android.keychain new state: disabled
Package com.sonymobile.lifelog new state: disabled
Package com.android.wallpaper new state: disabled
Package com.google.android.apps.maps new state: disabled
Package com.google.android.music new state: disabled
Package com.sony.nfx.app.sfrc new state: disabled
Package com.android.noisefield new state: disabled
Package com.sonyericsson.omadl new state: disabled
Package com.android.providers.partnerbookmarks new state: disabled
Package com.android.phasebeam new state: disabled
Package com.sonymobile.phoneusage new state: disabled
Package com.google.android.apps.photos new state: disabled
Package com.sonymobile.slideshow new state: disabled
Package com.android.dreams.phototable new state: disabled
Package com.sonyericsson.advancedwidget.photo new state: disabled
Package com.scee.psxandroid new state: disabled
Package com.realvnc.android.remote new state: disabled
Package com.sonymobile.email new state: disabled
Package com.sonyericsson.warrantytime new state: disabled
Package org.simalliance.openmobileapi.service new state: disabled
Package com.sonymobile.enterprise.installation new state: disabled
Package com.sonymobile.sketch new state: disabled
Package com.android.stk new state: disabled
Package com.sonymobile.styleportrait.addon.blue new state: disabled
Package com.sonymobile.styleportrait.addon.bubble new state: disabled
Package com.sonymobile.styleportrait.addon.daily new state: disabled
Package com.sonymobile.styleportrait.addon.paint new state: disabled
Package com.sonymobile.styleportrait.addon.red new state: disabled
Package com.sonymobile.styleportrait.addon.star new state: disabled
Package com.sonymobile.styleportrait.addon.sunshine new state: disabled
Package com.sonymobile.styleportrait.addon.suntan new state: disabled
Package com.sonymobile.synchub new state: disabled
Package com.sonymobile.advancedwidget.topcontacts new state: disabled
Package com.sonymobile.touchblocker new state: disabled
Package com.sonyericsson.unsupportedheadsetnotifier new state: disabled
Package com.google.android.videos new state: disabled
Package com.sony.tvsideview.phone new state: disabled
Package com.sonymobile.music.wikipediaplugin new state: disabled
Package com.sonymobile.advancedwidget.worldclock new state: disabled
Package com.sonymobile.music.youtubekaraokeplugin new state: disabled
Package com.sonymobile.music.youtubeplugin new state: disabled

/system/priv-app/

Package com.sonyericsson.android.addoncamera.artfilter new state: disabled
Package com.android.backupconfirm new state: disabled
Package com.android.calllogbackup new state: disabled
Package com.sonymobile.cameracommon.wearablebridge new state: disabled
Package com.sonymobile.coverapp2 new state: disabled
Package com.sonymobile.enterprise.service new state: disabled
Package com.sonymobile.getmore new state: disabled
Package com.google.android.backuptransport new state: disabled
Package com.google.android.feedback new state: disabled
Package com.sonymobile.intelligent.gesture new state: disabled
Package com.android.musicfx new state: disabled
Package com.sonymobile.mx.android new state: disabled
Package com.sonyericsson.android.omacp new state: disabled
Package com.sonymobile.ree new state: disabled
Package com.android.sharedstoragebackup new state: disabled
Package com.sonymobile.simlockunlockapp new state: disabled
Package com.sonymobile.gettoknowit new state: disabled
Package com.sonymobile.mirrorlink.manualswitch new state: disabled
Package com.sonymobile.mirrorlink.server11 new state: disabled
Package com.sonymobile.mirrorlink.system new state: disabled
Package com.sonymobile.android.addoncamera.soundphoto new state: disabled
Package com.android.apps.tag new state: disabled
Package com.sonyericsson.mtp.extension.backuprestore new state: disabled
Package com.sonyericsson.mtp.extension.factoryreset new state: disabled
Package com.sonymobile.mtp.extension.fotaupdate new state: disabled
Package com.sonyericsson.mtp.extension.update new state: disabled
Package com.sonyericsson.mtp new state: disabled
Package com.google.android.googlequicksearchbox new state: disabled

others

Package com.facebook.appmanager new state: disabled
Package com.facebook.system new state: disabled
Package com.google.android.apps.docs new state: disabled
Package com.google.android.calendar new state: disabled
Package com.google.android.gm.exchange new state: disabled
Package com.google.android.marvin.talkback new state: disabled
Package com.sony.snei.np.android.account new state: disabled
Package com.sonymobile.androidapp.cameraaddon.areffect new state: disabled
Package com.sonymobile.androidapp.cameraaddon.stickercreator new state: disabled
Package com.sonymobile.support new state: disabled
Package com.touchtype.swiftkey new state: disabled
Package com.linkedin.android new state: disabled
Package com.spotify.music new state: disabled

Done freezing packages! Reboot your device!!

[email protected]:/ #

Thanks @zxz0O0 and @shoey63 for the precious support!

I'm still working on it. Maybe I (or we) end up in a temp root solution to be able to perform backup of TA partition. I said maybe!! ETA?... don't f*** !!
Also, I will release the dirtycow debloat tool as soon as I finish it. >> DONE!


Requirements:
- Vulnerable Stock MM and/or N Kernel (Maybe all of them)


Instruction:
- Download and unpack
- Look into \files\debloat.sh file contents. Marked (# pm ...) lines won't be freezed!
- Run proper .bat file
- Follow on-screen instructions


Beers...

 

[serajr]

Everybody is welcome!

 

[Desperanto86]

thx. to unfreeze need replace "disable" to "enable"?

this temp root can't do anything and blocking with this way equal of hiding by debloater as I can see.

pm disable com.sonymobile.android.addoncamera.supervideo.product.res.overlay.enable4k # /system/vendor/overlay/SuperVideoCamera-Enable-4K-Overlay-275-release.apk

still not disabled

 

[serajr]

thx. to unfreeze need replace "disable" to "enable"?

this temp root can't do anything and blocking with this way equal of hiding by debloater as I can see.

pm disable com.sonymobile.android.addoncamera.supervideo.product.res.overlay.enable4k # /system/vendor/overlay/SuperVideoCamera-Enable-4K-Overlay-275-release.apk

still not disabled

You want to disable this app to enable 4k video. That won't work! For that you need to delete the apk, which requires unlock bootloader and proper root your device.
Not temp root fault!! Please, look for more accurate info before you blame that tool does nothing!

 

[shoey63]

Works great great on Z5 with latest firmware?

 

[Kzawww]

Doesn't work on XX latest firmware.
Error when disable.

Waiting for update.

 

[Desperanto86]

Doesn't work on XX latest firmware.
Error when disable.

Waiting for update.

did u do "run-as con" in cmd?

 

[FreshlyBaked 420]

Thanks buddy, I look forward to trying this after work!

 

[DerEineDa]

Thanks, the exploit works on my Lenovo Yoga Tab 3 Plus!

Edit: Unfortunately, most commands still give me a "permission denied", like "ls /dev" or "mount -o rw,remount,rw /system".

 

[serajr]

Thanks, the exploit works on my Lenovo Yoga Tab 3 Plus!

Edit: Unfortunately, most commands still give me a "permission denied", like "ls /dev" or "mount -o rw,remount,rw /system".

It is a limited temp root with "u:r:shell:s0" context only. We can't perform most of root commands on that context. This is why I decided to release it over here only!!
Still under development... stay tuned!

 

[oshmoun]

nice work getting everything wrapped with a bat script! got a question though
Did you use run-as.c as provided by timwr or did you do any modifications?
With his version I can get run-as to output "uid 0", but with your version I get:

run-as con
CANNOT LINK EXECUTABLE: empty/missing DT_HASH/DT_GNU_HASH in "run-as" (new hash type from the future?)

Note: I'm trying this on an xperia compact with fw 34.1.A.1.198

Edit: just to check if we're both reaching the same progress:
You also can't get a shell that can read init scripts right? I still can't

Edit 2: for people running betterbatterystats, or wanting to run it, you can use this exploit to grant bbs the permissions it needs without root

pm grant com.asksven.betterbatterystats_xdaedition android.permission.BATTERY_STATS 
pm grant com.asksven.betterbatterystats_xdaedition android.permission.DUMP

I'm obviously using the xda edition of bbs, but if you run the playstore version just change the package name.

 

[serajr]

nice work getting everything wrapped with a bat script! got a question though
Did you use run-as.c as provided by timwr or did you do any modifications?
With his version I can get run-as to output "uid 0", but with your version I get:

run-as con
CANNOT LINK EXECUTABLE: empty/missing DT_HASH/DT_GNU_HASH in "run-as" (new hash type from the future?)

Note: I'm trying this on an xperia compact with fw 34.1.A.1.198

Edit: just to check if we#re both reaching the same progress:
You also can't get a shell that can read init scripts right? I still can't

Edit 2: for people running betterbatterystats, or wanting to run it, you can use this exploit to grant bbs the permissions it needs without root

pm grant com.asksven.betterbatterystats_xdaedition android.permission.BATTERY_STATS 
pm grant com.asksven.betterbatterystats_xdaedition android.permission.DUMP

I'm obviously using the xda edition of bbs, but if you run the playstore version just change the package name.

Glad to know you did like it!

Here is my-run-as source. Completely windows-build (forgive me, I'm Windows guy), it needs NDK installed and in path.
To compile it open a command prompt and type: make build

It works on both arm and arm64 devices. Please, let me know if you get something new!
We need to help each other! TA backup is our goal!!

 

[oshmoun]

Glad to know you did like it!

Here is my-run-as source. Completely windows-build (forgive me, I'm Windows guy), it needs NDK installed and in path.
To compile it open a command prompt and type: make build

It works on both arm and arm64 devices. Please, let me know if you get something new!
We need to help each other! TA backup is our goal!!

Nice! thank you for the code, now got your my-run-as running and I can read init scripts!
So now we're both on the same page, hopefully more could pitch in with what they know!

Edit: just to say I tried it lol

[email protected]:/ # run-as con u:r:tad:s0
running as uid 0
Unable to set context to 'u:r:tad:s0'!

Edit 2: I attached my compiled version of my-run-as should anyone face the same issue I had. Had to add .txt to the file name so I could upload lol

 

[Desperanto86]

It is a limited temp root with "u:r:shell:s0" context only. We can't perform most of root commands on that context. This is why I decided to release it over here only!!
Still under development... stay tuned!

by the way! I've used your method on sony android tv KDL-55W807C! it works!

 

[oshmoun]

anyone checked this?
https://github.com/scumjr/dirtycow-vdso
Can't say I'm familiar with how to use dirtycow on anything other than the file system

 

[serajr]

by the way! I've used your method on sony android tv KDL-55W807C! it works!

Great news! :good:

anyone checked this?
https://github.com/scumjr/dirtycow-vdso
Can't say I'm familiar with how to use dirtycow on anything other than the file system

Looks promising!
I have no spare time during week to play with android stuff due my job, unfortunately!!

 

[bhz21]

OMG

:fingers-crossed:

Parabéns cara! (Congratulations dude! )

If, by using this method, we'll be able to root our Xperia devices keeping a LB it will be amazing!!

I have a Xperia Z5P and the only reason i didn't root it yet is because of the need to unlock the bootloader and "losing" DRM keys...

Cheers!

 

[serajr]

:fingers-crossed:

Parabéns cara! (Congratulations dude! )

If, by using this method, we'll be able to root our Xperia devices keeping a LB it will be amazing!!

I have a Xperia Z5P and the only reason i didn't root it yet is because of the need to unlock the bootloader and "losing" DRM keys...

Cheers!

Vlw bro!!

How about iovyroot? It looks like all Z5 variants can be temp rooted.

 

[infected_]

Vlw bro!!

How about iovyroot? It looks like all Z5 variants can be temp rooted.

They can, but the exploit is on kernel from 5.1.1 firmware. Don't recall the build now, but maybe 152

Sent from my F8131 using XDA-Developers mobile app

 

[Desperanto86]

They can, but the exploit is on kernel from 5.1.1 firmware. Don't recall the build now, but maybe 152

Sent from my F8131 using XDA-Developers mobile app

oh. nice will try that tool on my Sony Android TV it has ver.5.1.1