General (OPEN DEV) BruteRoot - A collection of Root Tactics (Possibly Force Bootloader unlock on NA Samsung S22?)

Search This thread
Just wondering if there have been any updates to the root status of this damn phone?
While I love it as I have pretty much all the Galaxy S series phones, they are my fav but I haven't been able to root any after my S6 Edge Plus, damn, I miss that phone!
Started w/ the Samsung Mesmerize (first time ever rooting) then to the S3 through them all to the S6 EP, all of which I managed to root, my S8, 9, 10e & this one, though...

.... well, I'm slowly starting to hate Samsung!
It's a powerful phone, I give them that but I love having full access and custom ROMs!
Just debating if I should continue to put off the August security update...
 

Attachments

  • Screenshot_20220811-223852_Software update.jpg
    Screenshot_20220811-223852_Software update.jpg
    357.4 KB · Views: 116

a63548

Senior Member
Apr 6, 2009
395
360
Google Pixel 6 Pro
Interesting read.. Well I have already updated to August patch. So that means I'm SOL. LOL
Pretty sure the bootloader version is still the same version U2 (version 2) which is the same as July and I think June meaning we can flash back to those versions if needed. At least that's what I think I've read before. If August's was version 3 then I think you can't go back to lower firmware with a lower bootloader.
 
  • Like
Reactions: doubledragon5

times_infinity

Senior Member
Pretty sure the bootloader version is still the same version U2 (version 2) which is the same as July and I think June meaning we can flash back to those versions if needed. At least that's what I think I've read before. If August's was version 3 then I think you can't go back to lower firmware with a lower bootloader.
Yep, you can actually go back as far as the May update. Looks like that is the first bit 2 update. I did it the other day coming back from the OneUI 5 beta.
 

galmok

Senior Member
Apr 20, 2008
147
3
I just downloaded traitor-arm64 from the release page (and asked windows not to consider this a virus/malware) and put it on my Samsung Galaxy S10+ using:

(win cmd): adb push "C:\Users\bme\Downloads\traitor-arm64" /data/local/tmp
(win cmd): adb shell chmod 755 /data/local/tmp/traitor-arm64

And then started it using:

(win cmd): adb shell
(android cmd): /mnt/local/tmp/traitor-arm64

but unfortunately, no exploit was found working:


▀█▀ █▀█ ▄▀█ █ ▀█▀ █▀█ █▀█
░█░ █▀▄ █▀█ █ ░█░ █▄█ █▀▄ v0.0.14

[+] Assessing machine state...
[+] Checking for opportunities...
[+] Nothing found to exploit.

Android 12, One-UI 4.1, Google Play-system date: 1. july 2022, Kernel: 4.14.113-24706840 (21. july 2022), SE status (enforcing, 21. july 2022).

And all I want is a good working full backup (and subsequent restore).
 

Top Liked Posts

  • There are no posts matching your filters.
  • 5
    Devices & Linux Versions I or other Testers have Successfully Gained Root on:
    (Likely All) MTK CPU Based Android devices UP TO 11 (Maybe 12? I haven't tested) (I.e LG, Sony, Select Samsung devices)
    Android Devices with LINUX KERNEL VERSIONS - 5.8 - 4.14 - Maybe More? (Needs Testing)


    -THIS GUIDE IS NOT BEGINNER FRIENDLY - BASIC UNDERSTANDING OF PYTHON, UNIX/LINUX ETC WILL BE REQUIRED!-

    If you have been holding off updating your device, well here's some good news, your device may still be vulnerable to a method to gain root access (and subsequently, possibly the ability to edit Build.prop and therefore allow the ability for OEM unlocking on USA based devices.) <- correct me if I'm wrong, but this should be possible, and once done, should persist across updates, correct?

    As of the time of writing this, there is not currently a simplified APK method, but, still this process is relatively straight forward.
    Alot of the methods used HAVE been patched from what I understand, but there have got to be plenty of devices out there still which are not updated. This project aims to compile all current, former and future Root methods into an APK that will do all the leg-work. If its able to find a working method, the GUI will pop a root shell for the end user. This SHOULD work, regardless of the setting of the "OEM UNLOCK" option in the dev options. A bypass, essentially.

    Regardless, The project linked below uses a myriad of known exploits & vulnerabilities and looks to find one that will work.

    Methods used are:
    • Nearly all of GTFOBins
    • Writeable docker.sock
    • CVE-2022-0847 (Dirty pipe)
    • CVE-2021-4034 (pwnkit)
    • CVE-2021-3560
    It'll exploit most sudo privileges listed in GTFOBins to pop a root shell, as well as exploiting issues like a writable docker.sock, or the recent dirty pipe (CVE-2022-0847). More methods to root will be added over time too.

    There is also an alternative (Dirty Pipe) injection method the uses @topjohnwu 's Magisk , this should be implemented into the apk. See this Github repo, Here.

    I would imagine this could be implented in a way to target devices that have stopped being supported for updates, aswell, that do not have TWRP, such as the SM-T307U.

    One big note - I am betting there are still ALOT of devices that are in inventory at retailers that remain on the vulnerable OS. So keeping that in mind, I'd say this is worth building.

    What needs to be done:
    • TESTING!
    • Build APK - HELP NEEDED WITH THIS!
    • Deploy
    Main Goals:
    • Get bootloader unlock ability for devices normally not unlockable (I.e North American Samsung Galaxy S22, Etc)
      • Above can be achieved by getting temp root via methods detailed here or otherwise, then editing build.prop, altering the below settings (The settings may be worded differently or simply not present at all, depending on device and Firmware version):
      • sys.oem_unlocking_allowed to 1
      • ro.oem_unlock_supported to 1 (most devices are set to 1 by default.)
      • ro.boot.flash.locked to 0
      • ro.secure to 0
      • ro.debuggable to 1
      • I think there may be one or two more that pretaint to Flash.locked. I.e flash.locked.other--or something very close.
    • Locally, gain temp root (System preferred, but any root will do.) on as many device types as possible.
    • Give device control back to end user.
    • Stay up-to-date on new exploits for root access & update apk accordingly.

    • STAY ETHICAL!!!! This is, in the end, a research project. Meaning all work preformed in the context of this project could result in a damaged or bricked device. By participating in this project you acknoledge these risks and accept them, and agree to not hold me, XDA, or anyone else responsible if you do some dumb ****. - k0mraid3
    Github Project link: HERE for my fork & HERE for the original project.
    My fork will incorporate the original project, as well as other found root access methods, such as the magisk injection method mentioned above - my repo is mainly used as a hub for the APK's dev - i don't have enough time to work on it at the moment but all are welcome to help.

    July 15th 2022 (UPDATE) (SAMSUNG DEVICES ONLY): A new Escalation method has been found via the Galaxy app store (Versions BEFORE Galaxy Store 4.5.41.8). No details known yet, but it is said to be very easy. See CVE-2022-33708 (July132022). Unknown if downgrading the app to 4.5.0.0 will enable the method again or not.

    Cred: liamg

    One method to run Traitor on device - Thanks @DevinDking for sharing this.
    Steps to get script on phone.
    //
    #!/bin/sh
    set -e
    dir=/data/local/tmp
    adb=${adb:-"adb"}
    $adb push traitor ${dir} //This puts file on phone make sure to run the terminal where its located
    $adb shell chmod 755 ${dir}/traitor"
    //
    Now to run script start a new terminal
    //
    adb shell
    #!/bin/sh
    set -e
    dir=/data/local/tmp
    adb=${adb:-"adb"}
    ${dir}/traitor //script opens
    //
    But I assume this wouldn't work right, and isn't right.
    Idk trying my best here xD

    Tools & References:

    Interesting Attack vectors -
    • GFX Componets of a system.
    • Issues with Linux itself (i.e Dirty Pipe)
    • Privilage escalation via any means (I.e GTFOBins)
    • unprotected system process - Hijack them if possible (i.e RILService Mode, and a wide range of other OEM apps left on devices after ship)
    7/24/22 - Samsung, LG & Other OEM's obfuscating (Intentionally Hiding) Fastboot and ADB Bootloader interfaces on PC

    So over the last week or so i dived head first into USB Dev - ill save you the time and sum it up.
    Vendors and OEM's are actively obfuscating the USB connection between your smartphone and the PC to keep you from Rooting. As far as im aware, there is no Universal way to fix this as each OEM screws with the USB drivers differently. THIS needs to be a point of focus for the rooting community. However, i have found a few tools for Dev if you wish to screw with this. (I'll upload them tonight)

    7/24/22 - MTK (MediaTek) based Exploits

    I Will try to compile a few methods for FORCING Bootloader Unlock on MTK based Devices as well as a way for manipulating said devices. I will attach two tools to this thread, these tools are EXTREMELY POWERFUL and can completely **** up your device. When i say REALLY F*CK UP your device, I mean to the point you cant even access recovery, Download OR bootloader mode. I'm Talking a blank DEAD device. So use with caution.

    With that said, lets talk about the tools. You will need a basic understanding of Python to make use of MTK Client
    First up, we have MTK Meta Utility (Currently Version 44) (
    Download Below)
    Next we have MTK Client (Github Link)

    So what can you do? Well, you can crash the Preloader to Brom with MTK Meta Utility while at the same time using MTK Client to send any payload you like to the device via Fastboot.

    I know, vague right now, but ill add detail over the coming days.


    I will continue to update the below list as new methods are discovered.

    If you find Guides, tutorials or new exploits, please link them in the comments so I can include them in future development!

    Telegram Channel: Here.


    Information on Vulnerabilities, exploits & methods - CVE-2022-0847 (Jfrog) - The Story Of "Dirty Pipe" - XDA - Dirty Pipe - PWNKIT (CVE--2021-4034) - CVE-2021-3560 - Docker Breakout / Privilege Escalation - CVE-2022-33708 (July132022) - CVE-2022-33701 (July122022) - CVE-2022-22268 (Unlock Knox Guard with DEX) (JAN2022) - MTK Client -


    Dev Team & credit to -
    @topjohnwu - LiamG - @wr3cckl3ss1 - bkerler -

    UPDATED - 7/29/22
    5
    An update from kernel security researcher Zhenpeng Lin: he has reported the exploit to Google and will publish details after it has been fixed. He also believes this exploit will allow unlocking the bootloader.
    4
    I'll try to post in it as much as possible. Anyone is welcome to join. Let's try to use this as a resource for communicating new and potential exploits for collective work, dev and rev engineering as well as any questions.

    {Mod edit: Link removed}
    3
    There is also a new vulnerability exploit by Zhenpeng Lin that allows for privilege escalation on Pixel 6 and and Galaxy S22 devices running 5.10 kernel.
    3
    I was able to get this by running "traitor-arm64" on my phone.

    Steps to get script on phone.
    //
    #!/bin/sh
    set -e
    dir=/data/local/tmp
    adb=${adb:-"adb"}
    $adb push traitor ${dir} //This puts file on phone make sure to run the terminal where its located
    $adb shell chmod 755 ${dir}/traitor"
    //
    Now to run script start a new terminal
    //
    adb shell
    #!/bin/sh
    set -e
    dir=/data/local/tmp
    adb=${adb:-"adb"}
    ${dir}/traitor //script opens
    //
    But I assume this wouldn't work right, and isn't right.
    Idk trying my best here xD
    Capture.PNG