General (OPEN DEV) BruteRoot - A collection of Root Tactics (Possibly Force Bootloader unlock on NA Samsung S22?)

Search This thread
I looked into the Galaxy Store vulnerability, CVE-2022-33708. I was on a patched version but uninstalling system updates for the app put me on a vulnerable version. I decompiled the APK using jadx and did find what I belive is how to perform this exploit. Theres a broadcast receiver that gets registered when installing and uninstalling apps from the store.

In the onReceive for the receiver theres a part where if the package installer receives an intent with the status -1 (STATUS_PENDING_USER_ACTION) then it launches another Intent thats provided in the first one. I think that this is what we're looking for.

Ignore the errors from decompiliation but this is what I'm talking about:
1658719291765.png
 
I looked into the Galaxy Store vulnerability, CVE-2022-33708. I was on a patched version but uninstalling system updates for the app put me on a vulnerable version. I decompiled the APK using jadx and did find what I belive is how to perform this exploit. Theres a broadcast receiver that gets registered when installing and uninstalling apps from the store.

In the onReceive for the receiver theres a part where if the package installer receives an intent with the status -1 (STATUS_PENDING_USER_ACTION) then it launches another Intent thats provided in the first one. I think that this is what we're looking for.

Ignore the errors from decompiliation but this is what I'm talking about:
View attachment 5667913
Oh ****! Good Find! Have you tried to exploit it yet? See if you could maybe tell it to overwrite some useless arbitrary file that has elevated privs?
 
Yes. Such as recently stolen internal Samsung files.
It would be3 great if there was a place we could say **** the BS semantics and just DO RESEARCH. I totally get the copyright issue, really. That can cause some serious BS and apologize for that, didn't realize I couldn't speak of it at all in that context.
 
Last edited by a moderator:

V0latyle

Forum Moderator
Staff member
It would be3 great if there was a place we could say **** the BS semantics and just DO RESEARCH. I totally get the copyright issue, really. That can cause some serious BS and apologize for that, didn't realize I couldn't speak of it at all in that context.
Watch the language, please. While there are many places on the Internet where such material might be shared, XDA is not one of them. It's stolen intellectual property that was never intended for the public domain. I can agree with most everyone here in the hopes that someone's able to use it in such a way that allows us to overcome the artificial restrictions placed on contemporary devices, but when it comes to the code itself, we must avoid any legal liability whatsoever. XDA is free; let's keep it that way.
 
Watch the language, please. While there are many places on the Internet where such material might be shared, XDA is not one of them. It's stolen intellectual property that was never intended for the public domain. I can agree with most everyone here in the hopes that someone's able to use it in such a way that allows us to overcome the artificial restrictions placed on contemporary devices, but when it comes to the code itself, we must avoid any legal liability whatsoever. XDA is free; let's keep it that way.
Very well explained, thank you for that, i do agree for the most part -again, apologies, force of habit on language.
 
  • Like
Reactions: V0latyle
There is, Telegram. A large part of development is now happening there
Invite me to a group? I've basically been in a shell the last 5 years so I don't know where to start to find others that are into this stuff. I'm full on Solo on this ATM. (Which is probably why it's taking so long, I'm having to figure everything out from scratch with only the help of Google, XDA and Android Developers website lol.
 
  • Like
Reactions: xgerryx
Invite me to a group? I've basically been in a shell the last 5 years so I don't know where to start to find others that are into this stuff. I'm full on Solo on this ATM. (Which is probably why it's taking so long, I'm having to figure everything out from scratch with only the help of Google, XDA and Android Developers website lol.
If I could also get an invite that would be appreciated
 
  • Like
Reactions: K0mraid3

Oswald Boelcke

Senior Moderator / Moderator & RC-RT Committees
Staff member
I'll try to post in it as much as possible. Anyone is welcome to join. Let's try to use this as a resource for communicating new and potential exploits for collective work, dev and rev engineering as well as any questions.

{Mod edit: Link removed}
@K0mraid3 I've removed the reference to Telegram from your above post.

Regarding social media links please observe that as an exemption from the last bullet of rule no. 5 of the XDA Forum Rules, we grant only developers the privilege to share references to their social media in their own development threads and if thorough support is provided in the thread. These conditions obviously don't apply to you or your thread. Additional information is also available here:

Thanks for your cooperation.
Regards
Oswald Boelcke
Senior Moderator
 
@K0mraid3 I've removed the reference to Telegram from your above post.

Regarding social media links please observe that as an exemption from the last bullet of rule no. 5 of the XDA Forum Rules, we grant only developers the privilege to share references to their social media in their own development threads and if thorough support is provided in the thread. These conditions obviously don't apply to you or your thread. Additional information is also available here:

Thanks for your cooperation.
Regards
Oswald Boelcke
Senior Moderator
I hope you guys know I'm in no way trying to break rules intentionally. I apologize.
 
  • Like
Reactions: Oswald Boelcke

Top Liked Posts

  • 1
    Kernel version still the same. Hang tight.
    1
    Interesting read.. Well I have already updated to August patch. So that means I'm SOL. LOL
    Pretty sure the bootloader version is still the same version U2 (version 2) which is the same as July and I think June meaning we can flash back to those versions if needed. At least that's what I think I've read before. If August's was version 3 then I think you can't go back to lower firmware with a lower bootloader.
    1
    Pretty sure the bootloader version is still the same version U2 (version 2) which is the same as July and I think June meaning we can flash back to those versions if needed. At least that's what I think I've read before. If August's was version 3 then I think you can't go back to lower firmware with a lower bootloader.
    Yep, you can actually go back as far as the May update. Looks like that is the first bit 2 update. I did it the other day coming back from the OneUI 5 beta.
  • 5
    An update from kernel security researcher Zhenpeng Lin: he has reported the exploit to Google and will publish details after it has been fixed. He also believes this exploit will allow unlocking the bootloader.
    4
    I'll try to post in it as much as possible. Anyone is welcome to join. Let's try to use this as a resource for communicating new and potential exploits for collective work, dev and rev engineering as well as any questions.

    {Mod edit: Link removed}
    2
    I looked into the Galaxy Store vulnerability, CVE-2022-33708. I was on a patched version but uninstalling system updates for the app put me on a vulnerable version. I decompiled the APK using jadx and did find what I belive is how to perform this exploit. Theres a broadcast receiver that gets registered when installing and uninstalling apps from the store.

    In the onReceive for the receiver theres a part where if the package installer receives an intent with the status -1 (STATUS_PENDING_USER_ACTION) then it launches another Intent thats provided in the first one. I think that this is what we're looking for.

    Ignore the errors from decompiliation but this is what I'm talking about:
    1658719291765.png
    2
    1659012758195.png


    Flashed! (NOT recovery! - Boot.img's on A/B. - Empty VBmeta)
    2
    Is there anyway for sure to know if any exploit worked because I tried this method on computer and also thru termux on my phone and somehow now my gpay fails. It gives me the error that this phone is altered and modified. Also noticed the kernel was set to permissive (i don't think it was before maybe I'm wrong) then I set it to enforcing on termux Also noticed that my font changed in certain places that didn't have it before (monoUi.apk). So is it possible I somehow retained root or temp root? And if so, wouldnt a restart get rid of it? I've restarted 3 or 4 times and it's still the same. Also checked thru download mode to see if Knox was tripped...still at 0x0. Sorry for the long post. I was just curious.

    As far as I am aware, SELinux is always set to enforcing by default and cannot be changed on non-rooted devices. The fact that it changed to permissive and that you were able to set it back to enforcing may indicate you had root privileges.
  • 5
    An update from kernel security researcher Zhenpeng Lin: he has reported the exploit to Google and will publish details after it has been fixed. He also believes this exploit will allow unlocking the bootloader.
    4
    Devices & Linux Versions I or other Testers have Successfully Gained Root on:
    (Likely All) MTK CPU Based Android devices UP TO 11 (Maybe 12? I haven't tested) (I.e LG, Sony, Select Samsung devices)
    Android Devices with LINUX KERNEL VERSIONS - 5.8 - 4.14 - Maybe More? (Needs Testing)


    -THIS GUIDE IS NOT BEGINNER FRIENDLY - BASIC UNDERSTANDING OF PYTHON, UNIX/LINUX ETC WILL BE REQUIRED!-

    If you have been holding off updating your device, well here's some good news, your device may still be vulnerable to a method to gain root access (and subsequently, possibly the ability to edit Build.prop and therefore allow the ability for OEM unlocking on USA based devices.) <- correct me if I'm wrong, but this should be possible, and once done, should persist across updates, correct?

    As of the time of writing this, there is not currently a simplified APK method, but, still this process is relatively straight forward.
    Alot of the methods used HAVE been patched from what I understand, but there have got to be plenty of devices out there still which are not updated. This project aims to compile all current, former and future Root methods into an APK that will do all the leg-work. If its able to find a working method, the GUI will pop a root shell for the end user. This SHOULD work, regardless of the setting of the "OEM UNLOCK" option in the dev options. A bypass, essentially.

    Regardless, The project linked below uses a myriad of known exploits & vulnerabilities and looks to find one that will work.

    Methods used are:
    • Nearly all of GTFOBins
    • Writeable docker.sock
    • CVE-2022-0847 (Dirty pipe)
    • CVE-2021-4034 (pwnkit)
    • CVE-2021-3560
    It'll exploit most sudo privileges listed in GTFOBins to pop a root shell, as well as exploiting issues like a writable docker.sock, or the recent dirty pipe (CVE-2022-0847). More methods to root will be added over time too.

    There is also an alternative (Dirty Pipe) injection method the uses @topjohnwu 's Magisk , this should be implemented into the apk. See this Github repo, Here.

    I would imagine this could be implented in a way to target devices that have stopped being supported for updates, aswell, that do not have TWRP, such as the SM-T307U.

    One big note - I am betting there are still ALOT of devices that are in inventory at retailers that remain on the vulnerable OS. So keeping that in mind, I'd say this is worth building.

    What needs to be done:
    • TESTING!
    • Build APK - HELP NEEDED WITH THIS!
    • Deploy
    Main Goals:
    • Get bootloader unlock ability for devices normally not unlockable (I.e North American Samsung Galaxy S22, Etc)
      • Above can be achieved by getting temp root via methods detailed here or otherwise, then editing build.prop, altering the below settings (The settings may be worded differently or simply not present at all, depending on device and Firmware version):
      • sys.oem_unlocking_allowed to 1
      • ro.oem_unlock_supported to 1 (most devices are set to 1 by default.)
      • ro.boot.flash.locked to 0
      • ro.secure to 0
      • ro.debuggable to 1
      • I think there may be one or two more that pretaint to Flash.locked. I.e flash.locked.other--or something very close.
    • Locally, gain temp root (System preferred, but any root will do.) on as many device types as possible.
    • Give device control back to end user.
    • Stay up-to-date on new exploits for root access & update apk accordingly.

    • STAY ETHICAL!!!! This is, in the end, a research project. Meaning all work preformed in the context of this project could result in a damaged or bricked device. By participating in this project you acknoledge these risks and accept them, and agree to not hold me, XDA, or anyone else responsible if you do some dumb ****. - k0mraid3
    Github Project link: HERE for my fork & HERE for the original project.
    My fork will incorporate the original project, as well as other found root access methods, such as the magisk injection method mentioned above - my repo is mainly used as a hub for the APK's dev - i don't have enough time to work on it at the moment but all are welcome to help.

    July 15th 2022 (UPDATE) (SAMSUNG DEVICES ONLY): A new Escalation method has been found via the Galaxy app store (Versions BEFORE Galaxy Store 4.5.41.8). No details known yet, but it is said to be very easy. See CVE-2022-33708 (July132022). Unknown if downgrading the app to 4.5.0.0 will enable the method again or not.

    Cred: liamg

    One method to run Traitor on device - Thanks @DevinDking for sharing this.
    Steps to get script on phone.
    //
    #!/bin/sh
    set -e
    dir=/data/local/tmp
    adb=${adb:-"adb"}
    $adb push traitor ${dir} //This puts file on phone make sure to run the terminal where its located
    $adb shell chmod 755 ${dir}/traitor"
    //
    Now to run script start a new terminal
    //
    adb shell
    #!/bin/sh
    set -e
    dir=/data/local/tmp
    adb=${adb:-"adb"}
    ${dir}/traitor //script opens
    //
    But I assume this wouldn't work right, and isn't right.
    Idk trying my best here xD

    Tools & References:

    Interesting Attack vectors -
    • GFX Componets of a system.
    • Issues with Linux itself (i.e Dirty Pipe)
    • Privilage escalation via any means (I.e GTFOBins)
    • unprotected system process - Hijack them if possible (i.e RILService Mode, and a wide range of other OEM apps left on devices after ship)
    7/24/22 - Samsung, LG & Other OEM's obfuscating (Intentionally Hiding) Fastboot and ADB Bootloader interfaces on PC

    So over the last week or so i dived head first into USB Dev - ill save you the time and sum it up.
    Vendors and OEM's are actively obfuscating the USB connection between your smartphone and the PC to keep you from Rooting. As far as im aware, there is no Universal way to fix this as each OEM screws with the USB drivers differently. THIS needs to be a point of focus for the rooting community. However, i have found a few tools for Dev if you wish to screw with this. (I'll upload them tonight)

    7/24/22 - MTK (MediaTek) based Exploits

    I Will try to compile a few methods for FORCING Bootloader Unlock on MTK based Devices as well as a way for manipulating said devices. I will attach two tools to this thread, these tools are EXTREMELY POWERFUL and can completely **** up your device. When i say REALLY F*CK UP your device, I mean to the point you cant even access recovery, Download OR bootloader mode. I'm Talking a blank DEAD device. So use with caution.

    With that said, lets talk about the tools. You will need a basic understanding of Python to make use of MTK Client
    First up, we have MTK Meta Utility (Currently Version 44) (
    Download Below)
    Next we have MTK Client (Github Link)

    So what can you do? Well, you can crash the Preloader to Brom with MTK Meta Utility while at the same time using MTK Client to send any payload you like to the device via Fastboot.

    I know, vague right now, but ill add detail over the coming days.


    I will continue to update the below list as new methods are discovered.

    If you find Guides, tutorials or new exploits, please link them in the comments so I can include them in future development!

    Telegram Channel: Here.


    Information on Vulnerabilities, exploits & methods - CVE-2022-0847 (Jfrog) - The Story Of "Dirty Pipe" - XDA - Dirty Pipe - PWNKIT (CVE--2021-4034) - CVE-2021-3560 - Docker Breakout / Privilege Escalation - CVE-2022-33708 (July132022) - CVE-2022-33701 (July122022) - CVE-2022-22268 (Unlock Knox Guard with DEX) (JAN2022) - MTK Client -


    Dev Team & credit to -
    @topjohnwu - LiamG - @wr3cckl3ss1 - bkerler -

    UPDATED - 7/29/22
    4
    I'll try to post in it as much as possible. Anyone is welcome to join. Let's try to use this as a resource for communicating new and potential exploits for collective work, dev and rev engineering as well as any questions.

    {Mod edit: Link removed}
    3
    I was able to get this by running "traitor-arm64" on my phone.

    Steps to get script on phone.
    //
    #!/bin/sh
    set -e
    dir=/data/local/tmp
    adb=${adb:-"adb"}
    $adb push traitor ${dir} //This puts file on phone make sure to run the terminal where its located
    $adb shell chmod 755 ${dir}/traitor"
    //
    Now to run script start a new terminal
    //
    adb shell
    #!/bin/sh
    set -e
    dir=/data/local/tmp
    adb=${adb:-"adb"}
    ${dir}/traitor //script opens
    //
    But I assume this wouldn't work right, and isn't right.
    Idk trying my best here xD
    Capture.PNG
    2
    There is also a new vulnerability exploit by Zhenpeng Lin that allows for privilege escalation on Pixel 6 and and Galaxy S22 devices running 5.10 kernel.