[Q] How Root Toshiba Excite Pro AT10LE-A-108

[dexxxZ]

hi
so i order today Toshiba Excite Pro AT10LE-A-108 tablet from amazaon
http://www.amazon.co.uk/gp/product/B00GXBVHMA/ref=oh_details_o00_s00_i00?ie=UTF8&psc=1#productDetails

Looks Ok, i read some review about this product and all looks good, but, i cant find in internet any info about root this device, so i like ask u, its anybody know something about this, how root that toshiba ?

Thanks for any help

 

[Drahflow]

bf000180 t cleanup_module [sealime]

That's different from my kernel layout, so we'd need a build a different glomus.ko patch.

If you are willing to spend a few more hours on this; I'd need the output of
root@tostab12BA:/ # cat /proc/kallsyms | grep register_sealime
root@tostab12BA:/ # cat /proc/kallsyms | grep print_hex_dump

and a copy of your /system/lib/modules/gps_drv.ko

Then I can patch that into a glomus.ko with instructions to dump (via print_hex_dump) the instructions of register_sealime (which you'll need to pull via adb logcat) and then with that info I can prepare a second version of glomus.ko to disable sealime on your device. It'll take a bit of back-and-forth I think, but OTOH you don't need to do any patching on windows.

 

[PM128]

Was not so easy since that shell doesn't have grep. I had to max the term buffer to 9999 then copy the output (was still truncated) and search in it:
c0857494 r __kstrtab_register_sealime
c08595b2 r __kstrtab_print_hex_dump_bytes
c08595c7 r __kstrtab_print_hex_dump

 

[Drahflow]

Unfortunately, those you found are the addresses in the string table which contains the symbol names, i.e. not useful for this.

Does
cat /proc/kallsyms > /data/local/tmp/kallsyms.txt
give you the full list?

 

[PM128]

Here you go.
Hmm I don't know why are the addresses all 0s now. I had the tabby off for a while and now it doesn't boot (stuck in the sparkling stars). I don't get even the temp root # after ./su.

 

[PM128]

Since I luckily still have access to the shell while the tabby is stuck on the booting I managed to let the dirtycow chow the system again and got the temp root again. With it I was able to get the complete dump of the kallsyms (had to chown it back to shell since adb pull couldn't get it otherwise). Would it be useful for you now?

c02145c4 t register_sealime
c0252878 T print_hex_dump
c02529a0 T print_hex_dump_bytes

Complete dump is attached.

 

[Drahflow]

Thanks, this is useful. I should find some time over the weekend to build a dumping glomus.ko for your device.

 

[Drahflow]

Please find attached a sightly "improved" version of your gps_drv.ko, which you can use like so:

1. Get temp root
2. Replace (in memory only) the original gps_drv.ko with the new one via dirtycow:
root@tostab:/data/local/tmp # ./dirtycow dump_memory.ko /system/lib/modules/gps_drv.ko
3. Load the new gps_drv.ko
root@tostab:/data/local/tmp # insmod /system/lib/modules/gps_drv.ko
It should say:
insmod: init_module '/system/lib/modules/gps_drv.ko' failed (Identifier removed)

4. Dump the kernel error log and search for the code-dump via glomus (should be near the end)
root@tostab:/data/local/tmp # dmesg

It should look like a bunch of lines like this one:
<3>[ 2669.888648] glomusc02096d0: 00 41 3f e2 00 40 bd e8 20 3a 3a e1 dd aa 27 e3 .@-..@..(=...0L.

Please copy them into a .txt and upload. Those are the (hex representation of) the init_sealime instructions. I should be able to use those as a template where to reset whatever init_sealime did (most likely by just clearing two pointers at the right address).

 

[PM128]

First of all thanks so much for your time and dedication to help me.
I pushed the dump_memory.ko into that /data/local/tmp folder (as shell of course, was wondering if I should have chown it to root before letting the dirtycow chew it). Got the temp root and issued the command ad 2.) ... didn't get the desired # prompt back even waited for like 20 minutes (got stuck on something):
root@android:/ # ./dirtycow dump_memory.ko /system/lib/modules/gps_drv.ko
/system/bin/sh: ./dirtycow: not found
127|root@android:/ # cd /data/local/tmp
o /system/lib/modules/gps_drv.ko <
dcow dump_memory.ko /system/lib/modules/gps_drv.ko
[*] size 152743
[*] mmap 0x40192000
[*] currently 0x40192000=464c457f
[*] using ptrace method
[*] madvise = 0x40192000 152743
[*] ptrace 0 5
[*] exploited 14500 0x40192000=464c457f
root@android:/data/local/tmp # [*] madvise = 0 16777216
[*] exploited 0 0x40192000=464c457f
<--- here it stopped and no further progress
root@android:/data/local/tmp # <--- after pressing Enter

So instead of proceeding to the step 3.) here is the dmesg output so far no glomus there. Please note that the tablet is stuck in the boot process somewhere.

 

[Drahflow]

I'm not exactly sure what's going on in your terminal (I think it didn't like to display one of the longer commands and the display / copy-paste got jumbled somewhat after that). But otherwise everything seems fine. Maybe it'll be better if you use a wider terminal, but no idea.
Anyway... Please redo step 2 (as soon as enter gets you a new prompt it's done; no need to wait 20 minutes) and then proceed to step 3 and 4. That the tablet is stuck somewhere in UI startup shouldn't matter.

 

[PM128]

My Win terminal/cmd has 132 chars width, it must be some limitation either by adb or the shell of the device but this doesn't really matter since the command is always taken.
I tried to redo the step 2.) after I got the prompt by clicking enter several times, see the attached log of my attempts. So then the step 2.) seemed to get through giving me prompt but then by step 3.) the whole tablet froze hard. I had to kill the terminal and make hard reset of the tablet since the sparkling stars froze too. Tried to make the whole procedure after the half boot again... total freeze by step 3.)
I am afraid if I would try to do factory reset of the tablet in recovery mode I might lose the settings for USB debugging (the adb gateway into the device) and the tablet would become completely unaccessible dead brick.
Do you still have energy to continue? Doesn't have to be today...

 

[Drahflow]

Sorry, I fear I confused the versions of the .ko file between my device and the new development for yours. Could you kindly retry step 3 with the attached .ko?

And indeed, DO NOT factory reset. There is nothing to be gained and potentially the adb access to be lost.

 

[PM128]

Heureka! I finally got the desired message about 'Identifier removed'. So here are the kernel messages attached. There are 16 lines with glomus in them.

 

[Drahflow]

Perfect! Based on this, I prepared a glomus.ko for your (and I sure hope all) at300se.

It should work like this:
1. Get temp root
2. Replace (in memory only) gps_drv.ko with glomus.ko
root@tostab:/data/local/tmp # ./dirtycow glomus.ko /system/lib/modules/gps_drv.ko
3. Load replaced driver
root@tostab:/data/local/tmp # insmod /system/lib/modules/gps_drv.ko
Should again complain about "Identifier removed."
4. Try to mount /system read-write
root@tostab:/data/local/tmp # mount -o remount,rw /system
5. Enjoy your new power to modify the system image any way you like. (No replacing the kernel though, as I said initially.)

 

[PM128]

Thank you for the glomus.ko But seems today still no victory. System freezes again at step 4.):

stem/lib/modules/gps_drv.ko <
dcow glomus.ko /system/lib/modules/gps_drv.ko
[*] size 152743
[*] mmap 0x4013a000
[*] currently 0x4013a000=464c457f
[*] using ptrace method
[*] madvise = 0x4013a000 152743
[*] ptrace 0 4
[*] exploited 537 0x4013a000=464c457f
root@android:/data/local/tmp #
root@android:/data/local/tmp #
root@android:/data/local/tmp # [*] madvise = 0 16777216 <--- wonder what output of some running process this is
[*] exploited 0 0x4013a000=464c457f

root@android:/data/local/tmp #
root@android:/data/local/tmp #
root@android:/data/local/tmp # insmod /system/lib/modules/gps_drv.ko
insmod: init_module '/system/lib/modules/gps_drv.ko' failed (Identifier removed)
255|root@android:/data/local/tmp #
255|root@android:/data/local/tmp #
255|root@android:/data/local/tmp # mount -o remount,rw /system
root@android:/data/local/tmp # <--- system freezes no prompt back no Enter

 

[Drahflow]

Now that is sad. It *could* be something entirely else is wrong with your tablet (e.g. it dies upon remounting the filesystem due to corruption or problems with the flash chip), but how likely is that?

Can you do other sealime-restricted operations, e.g.
root@android:/data/local/tmp # cp /modules/sealime.ko /data/local/tmp/

Test before and after loading glomus.ko. Without it loaded, it should give you a permission denied error, with glomus.ko loaded, it should work (and not freeze the tablet). If it still freezes, something has changed in how sealime can be unregistered between the at300se and the excite pro.

Even in that case, don't declare the tablet useless yet, someone posted a cheap at300se on ebay a few days ago so I can test locally.

 

[PM128]

It didn't freeze the tablet but both ways before and after it's the same: Operation not permitted. 'cp' command is not recognized by the shell so I tried to use 'dd' instead see attached log. My knowledge of Linux is very limited.
If you would find a solution so that I could at least have it bootable again I would be so thankful. I understand it might take longer time but I guess I am not the only one who have successfully bricked the AT300SE device so it would help the community as well.

 

[Drahflow]

You forgot to
root@android:/data/local/tmp # insmod /system/lib/modules/gps_drv.ko
after the dirtycow in your last test.

 

[PM128]

You are right when I look back on that txt file that I created from some cut-off parts of the terminal window. But it may also be that Dr. Alzheimer suddenly called me interrupting my work as he usually starts bugging me already at my age .
Anyway I tried again today (hopefully all the steps), it didn't freeze but 'Operation not permitted'
I am still wondering if the dirtycow chews the system successfully. Why are always coming still some messages within like 10~15 secs when it gave the # prompt already? At that moment the prompt disappears until I press the Enter again. Strange what is it doing. Like if the sealime would still win the race over the dirty cow...

 

[Drahflow]

I read your last procedure log. Did you dcow the dump_memory.ko, maybe? You need to dcow the glomus.ko (and only that).

I.e.

1. Get temp root
2. dcow glomus.ko /system/lib/modules/gps_drv.ko
3. insmod /system/lib/modules/gps_drv.ko
4. Try some restricted operation: E.g. dd if=/modules/sealime.ko of=/data/local/tmp/sealime.ko

(Wouldn't hurt to have an adb logcat running in parallel to some other window, maybe we can still see some errors if it freezes again.)

 

[PM128]

Hi Drahflow thank you for your persistence I thought you gave up on it. I dcow'd indeed the dump_memory.ko which came as instruction in your Post#127. So now I tried to dcow the glomus.ko and managed to get the sealime.ko module (see attached). The adb logcat runs constantly in the second terminal so I just copied some excerpts from it since it overwrites the buffer and runs and runs mostly with Fatal error 11.