Research on finding root exploit for N900V 4.4.4 (NJ6)

[scottgl9]

I have serious doubts about the so called "proof of root" youtube video for 4.4.4 N900V, so I've decided to start a research related thread so we don't have to rely on someone who will probably give everyones hopes up. Since N900V NJ4 4.4.4 is the oldest flashable version on those of us stuck on 4.4.4 or 5.0, I will be focusing on that build. Here are a few exploits I've found so far which may definitely lead to a root exploit for everyone who is patiently waiting for root access (including me):

1) Android sensord Local Root Exploit - says tested on LG L7, but may also apply to N900V (unconfirmed)
2) Linux Kernel < 3.4.5 - Local Root Exploit (ARM - Android 4.2.2 / 4.4) - N900V NJ6 has kernel version 3.4.0, so this exploit may be a viable option
3) Nexus 5 Android 5.0 - Local Root Exploit - May also apply to other devices as it relies an selinux flaw

Here is a very interesting page I found about ABOOT, and details of the Android boot process: http://newandroidbook.com/Articles/aboot.html

We should also look into possibly using Loki for the note 3: https://github.com/djrbliss/loki

Here is an excellent site which lists all know Android root vulnerabilities categorized by Android software version: http://androidvulnerabilities.org/by/version/

 

[scottgl9]

UPDATE: I have some really good news which I came across which applies to N900V NJ6 (build KTU84P):
http://www.androidpolice.com/2014/06/19/google-rolling-out-android-4-4-4-update-ktu84p-with-a-security-fix-factory-imagesbinaries-up-for-nexus-devices/
According to the above, the vulnerability which towelroot exploits was in fact not patched in build KTU84P.

I'm going to compile towelroot and add the N900V to the supported device list, and theoretically it should provide root.

Here are some ideas I'm investigating for achieving root on NJ6:

1) Inject su and SuperUser.apk into the sparse ext4 format system.img.ext4 from the odin package
2) If someone has a rooted N900V and is on 4.4.4 NJ6 firmware, please do a raw dump of your full system partition, and post it. I may be able to convert to a pre-rooted odin package
3) Find unused executable from system.img.ext4 (in sparse format), find the offset of the unused executable in the sparse image, and directly replace the binary data of the executable with the binary data of su (replaced e2fsck with su executable (zero padded to match size of e2fsck), haven't been able to successfully flash with ODIN yet, still investigating what aboot checks that is causing it to fail)
4) NJ6 is running Kernel version 3.4.0, I'm sure there are quite a few Linux exploits which work on Kernel version 3.4.0 and lower.

 

[scottgl9]

This is successfully exploiting a vulnerability and is rebooting my note 3 (not installing su yet, haven't had time to fully research how this root exploit works:

https://github.com/retme7/CVE-2014-7911_poc/

I've attached the prebuilt apk for this vulnerability. I'm getting activity on logcat, just don't have time to look into it fully until I get off of work.

 

[en11gma]

i downgraded from of1 to nk1
i also tried going from of1 directly to nj6.
just tick on nand erase in odin

 

[yenkoPR]

This is successfully exploiting a vulnerability and is rebooting my note 3 (not installing su yet, haven't had time to fully research how this root exploit works:

https://github.com/retme7/CVE-2014-7911_poc/

I've attached the prebuilt apk for this vulnerability. I'm getting activity on logcat, just don't have time to look into it fully until I get off of work.

go on bro, we believe in you !

 

[SLver]

sorry for annoy you guys, but I don't get it, this xploid is for get just root, or for unlock the boot loader (at least??)

 

[yenkoPR]

sorry for annoy you guys, but I don't get it, this xploid is for get just root, or for unlock the boot loader (at least??)

we need root to be able to unlock bootloader