• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!
  • Fill out your device list and let everyone know which phones you have!    Edit Your Device Inventory

[Qualcomm][MTK] Root for Android 6.0

Search This thread

pvineeth97

Senior Member
Nov 1, 2015
1,251
933
St. Louis
Hi guys!

Update: Posted the complete guide! Follow it carefully. Read 2-3 times before doing anything.

I am able to temporarily root LG K420 DS w/Android 6.0.

What does it mean for other models of LG K10? You can root your phone if your phone has dirtycow vulnerability.

Debugging Tools:

You need android-ndk installed in your computer.

(1) DirtyCow Vulnerability Test Tool: Download here (Ubuntu only)
How to run it: sudo ./vul_test.sh.x

(2) If you don't have the android ndk compiler installed.
Phone Info Data Tool: Click here (Ubuntu Only)
How to run it: sudo ./phone_info.sh.x

Send me the info.data file it produced. It is encrypted. I will analyse it and reply you back.

COMPLETE these steps before continuing: Click Here

Download this dirtyc0w temporary root shell tool: Click Here

(1) Unzip the root_tool.zip
(2) Connect your phone. Make sure you have "USB Debugging" enabled in "Developer Options".
(3) Run run_for_arm_devices.bat file. Wait for it to dirtc0w the shell.
(4) Type "id". You get something similar to this screenshot:
3eAydo0Oq.png

(5) Type "cd data/local/tmp".
(6) Now run "./a.out /init ./init". It replaces the original init file with my patched init file. (But I tried it many times, in Android 6.0, the shell context is not enough to replace init. While in Android 5.1.1, I could replace the patched init but restarts just after replacing the original init with my patched init. This time it was toolbox context).
(7) Open another command window. Type "adb logcat". Look for audit messages that the patched sepolicy is replaced with your phone's sepolicy.

-----------------------------------------------------------------
Notes:

(1) My Phone's Security Patch : 2016-10-01.

(2) The security patches from December 2016 & January 2017 can't use this root method because "dirtycow" is patched. Will post a detailed guide on what you can do if you upgraded to the latest update for your phone.

If you have already upgraded to a newer version having dirtyc0w patched, flash a ROM which predates to November/December. I flashed a ROM having security patch date has mentioned above!

(3) The root is just limited to deleting few files and viewing other folders inside '/'. It is because of SELinux Enforced. I patched the init and sepolicy file. Thanks to @matteogeniaccio for helping me out with patching.

(4) A bonus for MTK owners! You need not unlock bootloader and install TWRP and achieve "ROOT". This method can help you achieve root without unlocking bootloader and without losing warranty! :D
 
Last edited:

botenredwolf

New member
Feb 10, 2017
4
0
Madison, WI
This is awesome, I'm glad I left my K425 variant sitting disconnected from the world.
It's still on the 2016-09-01 security patch, software v. K42511i.

I'll gladly experiment if you need one, it's the crap phone I grabbed when I started service before my V20 got unlocked from T-Mo, so if I end up without it, no big deal.

I shall sit here waiting patiently, as I'm sure many of has have been doing for a while. :fingers-crossed:
 

pvineeth97

Senior Member
Nov 1, 2015
1,251
933
St. Louis
This is awesome, I'm glad I left my K425 variant sitting disconnected from the world.
It's still on the 2016-09-01 security patch, software v. K42511i.

I'll gladly experiment if you need one, it's the crap phone I grabbed when I started service before my V20 got unlocked from T-Mo, so if I end up without it, no big deal.

I shall sit here waiting patiently, as I'm sure many of has have been doing for a while. :fingers-crossed:

Sent you a message.
 

ItzTropic

Senior Member
Oct 13, 2016
118
31
I got the lg ms428 (metro pcs)
It will work?

---------- Post added at 02:51 AM ---------- Previous post was at 02:49 AM ----------

Tbh I'm looking forward to this, finally some great news and thanks for ure hard work pvineeth97
 

pvineeth97

Senior Member
Nov 1, 2015
1,251
933
St. Louis
I got the lg ms428 (metro pcs)
It will work?

---------- Post added at 02:51 AM ---------- Previous post was at 02:49 AM ----------

Tbh I'm looking forward to this, finally some great news and thanks for ure hard work pvineeth97

It does'nt matter which ever phone it is. Its important that your Security-Patch-Date is not older than November.
 

Chief_Nodnarb

Senior Member
Nov 13, 2014
279
111
35
Waynesboro
Does this phone e happen to have a y similarities to the LG Tribute HD? I'm just curious if this will work on that phone as well. Those guys have been trying to find a root method for so long now! Thanks in advance for any answers.
 

pvineeth97

Senior Member
Nov 1, 2015
1,251
933
St. Louis
Does this phone e happen to have a y similarities to the LG Tribute HD? I'm just curious if this will work on that phone as well. Those guys have been trying to find a root method for so long now! Thanks in advance for any answers.

This root method is based of Linux Kernel vulnerability not on any phone. If your phone is not patched with dirtycow then you can root it.
 

sotoLOTO-

Senior Member
Nov 8, 2015
764
126
This root method is based of Linux Kernel vulnerability not on any phone. If your phone is not patched with dirtycow then you can root it.

It does'nt matter which ever phone it is. Its important that your Security-Patch-Date is not older than November.

How can I check if my phone is not patched with dirtycow or if my Security-Patch-Date is not older than November? With X-ray or Drammer perhaps or how?
 

botenredwolf

New member
Feb 10, 2017
4
0
Madison, WI
If it's phone independent, would the same process and files that worked when I blew open my V10 (H901)/V20 (H918) work? Could fastboot and any related binaries/scripts also then be injected in somehow to allow for the bootloader to be unlocked? Also, my V10 had the 12-01-2016 patch and still let me in, unsure if that means much or not, or if I'm just bat sh*t crazy.
 

pvineeth97

Senior Member
Nov 1, 2015
1,251
933
St. Louis
How can I check if my phone is not patched with dirtycow or if my Security-Patch-Date is not older than November? With X-ray or Drammer perhaps or how?

Compile this: https://github.com/timwr/CVE-2016-5195

make root

Type id when you see the shell.

Output should be similar to this: uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r:shell:s0
 

pvineeth97

Senior Member
Nov 1, 2015
1,251
933
St. Louis
If it's phone independent, would the same process and files that worked when I blew open my V10 (H901)/V20 (H918) work? Could fastboot and any related binaries/scripts also then be injected in somehow to allow for the bootloader to be unlocked? Also, my V10 had the 12-01-2016 patch and still let me in, unsure if that means much or not, or if I'm just bat sh*t crazy.

It depends on which method you are using. If that method is replacing init and sepolicy, you need to patch it for your own phone. Other phone's init and sepolicy might not work for your phone.
 

Fobos531

Retired Forum Moderator
Oct 6, 2014
1,029
440
/home/
It depends on which method you are using. If that method is replacing init and sepolicy, you need to patch it for your own phone. Other phone's init and sepolicy might not work for your phone.

Will this ever enable us to remove preinstalled bloatware on our phones? What exactly is this root method useful for, and how limited it is really?
 

pvineeth97

Senior Member
Nov 1, 2015
1,251
933
St. Louis
Will this ever enable us to remove preinstalled bloatware on our phones? What exactly is this root method useful for, and how limited it is really?

It is limited to shell context. I tired replacing init in Android 6.0 it was not allowing me to dirtycow it. But when I tried replacing it in Android 5.1.1 the phone restarted.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 6
    Hi guys!

    Update: Posted the complete guide! Follow it carefully. Read 2-3 times before doing anything.

    I am able to temporarily root LG K420 DS w/Android 6.0.

    What does it mean for other models of LG K10? You can root your phone if your phone has dirtycow vulnerability.

    Debugging Tools:

    You need android-ndk installed in your computer.

    (1) DirtyCow Vulnerability Test Tool: Download here (Ubuntu only)
    How to run it: sudo ./vul_test.sh.x

    (2) If you don't have the android ndk compiler installed.
    Phone Info Data Tool: Click here (Ubuntu Only)
    How to run it: sudo ./phone_info.sh.x

    Send me the info.data file it produced. It is encrypted. I will analyse it and reply you back.

    COMPLETE these steps before continuing: Click Here

    Download this dirtyc0w temporary root shell tool: Click Here

    (1) Unzip the root_tool.zip
    (2) Connect your phone. Make sure you have "USB Debugging" enabled in "Developer Options".
    (3) Run run_for_arm_devices.bat file. Wait for it to dirtc0w the shell.
    (4) Type "id". You get something similar to this screenshot:
    3eAydo0Oq.png

    (5) Type "cd data/local/tmp".
    (6) Now run "./a.out /init ./init". It replaces the original init file with my patched init file. (But I tried it many times, in Android 6.0, the shell context is not enough to replace init. While in Android 5.1.1, I could replace the patched init but restarts just after replacing the original init with my patched init. This time it was toolbox context).
    (7) Open another command window. Type "adb logcat". Look for audit messages that the patched sepolicy is replaced with your phone's sepolicy.

    -----------------------------------------------------------------
    Notes:

    (1) My Phone's Security Patch : 2016-10-01.

    (2) The security patches from December 2016 & January 2017 can't use this root method because "dirtycow" is patched. Will post a detailed guide on what you can do if you upgraded to the latest update for your phone.

    If you have already upgraded to a newer version having dirtyc0w patched, flash a ROM which predates to November/December. I flashed a ROM having security patch date has mentioned above!

    (3) The root is just limited to deleting few files and viewing other folders inside '/'. It is because of SELinux Enforced. I patched the init and sepolicy file. Thanks to @matteogeniaccio for helping me out with patching.

    (4) A bonus for MTK owners! You need not unlock bootloader and install TWRP and achieve "ROOT". This method can help you achieve root without unlocking bootloader and without losing warranty! :D
    1
    we have in lg g4 forum need you bro
    1
    How would this work for mac :confused:

    Bootcamp and Windows. Or a virtual machine. Either way, rooting using dirtyc0w requires Windows.