• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[Root][4.4.2 ND7]GhettoRoot (Towelroot port) v0.3.2

Search This thread

25yvdgpo06

Member
May 3, 2014
21
69
GhettoRoot (Towelroot port) v0.3.0.1, v0.3.2 Testing (looking for new owner)

Code:
*** Disclaimer

This project is licensed under the GPLv3.  Bundled third-party components
have different licenses, but these components are bundled or downloaded
as separate executables; all appropriate LICENSE files are included, along
with links to source code.

THIS UTILITY MAKES USE OF A KERNEL EXPLOIT TO GAIN ROOT PRIVILEGES
AND MAKE MODIFICATIONS TO YOUR DEVICE'S FILESYSTEM.  IT WILL
PROBABLY WILL VOID YOUR WARRANTY.  IF YOU DO NOT FOLLOW THE
INSTRUCTIONS, YOU COULD END UP WITH A BRICK.  EVEN IF YOU DO
FOLLOW THE INSTRUCTIONS, YOU MIGHT END UP WITH A BRICK.

ROOTING IS A POTENTIALLY DANGEROUS PROCESS AND, WHILE I WILL TRY
TO HELP IF YOU HAVE TROUBLE, I CANNOT ACCEPT RESPONSIBILITY
FOR RANDOM MISFORTUNE, COSMIC RAYS, ETC.

Help Wanted
My activity with this project will be diminishing. As far as I know, everything as of now "just works" with the SCH-I605, and that's all I really wanted to accomplish from the start. I'm hoping someone will take it over -- ideally someone who'd be willing to look into fixing the code to support other devices. It's open-source, so you can start looking at it now and see if you're interested. Compiling is simple... Just install the NDK and use ndk-build, or 'make' in Linux.

If you'd like to take over the development, and you've worked on projects like this before, I'd greatly appreciate it; perhaps we can get a mod to transfer this thread to you, or you're free to start a new one. After a certain point, I'll stop monitoring threads and messages, so you're free to go ahead and take charge without waiting to hear from me, if you'd like.

Post elsewhere, if you'd like, to let people know that this code is available and might be adjustable for other devices. It really shouldn't be difficult for someone with a background with this stuff.

Problematic areas are likely the iov code (search "Not sure if this is entirely correct") and also the limit_offset stuff (search "ph->limit_offset != 0"), but I have no way of knowing for sure if there's anything wrong with limit_offset since I don't have an applicable Samsung device. There are scattered references to the sources I used to figure out some of this in the README and in ghettoroot.c itself.

That's all, folks. Thanks.


Introduction
This is an automatic root method for your Note 2 (or, potentially, other device) based on code for the CVE-2014-3153 exploit.Unlike towelroot, it is a tethered root in that it requires you to connect your device to a computer to perform the root. However, it only requires a computer the one time; root sticks.

This code appears to have been reverse-engineered from towelroot itself (but not the latest version), so Geohot gets the credit for this one. This is more like a bugfix which only works (for sure) with the Verizon Galaxy Note II so far. The changes from the towelroot-equivalent exploit code are incredibly minimal. Only a few lines of code need really be changed to get it working, but devices incompatible with towelroot are becoming ghetto, so there wasn't a lot of motivation for the problems to be investigated.

GhettoRoot attempts to walk you through the prerequisites for the rooting process and give you hints if there are problems; it does the dirty work itself.


Installation instructions
Please see the LICENSE file for details on copying and usage (GPLv3).

This software will attempt to root your device and might void its warranty.
Please BACK UP ANYTHING IMPORTANT before continuing.

Note: By default, v0.3.0.1 attempts to disable Knox and OTA update packages.
If you'd rather this not happen, scroll to CONFIGURATION.

  1. Install USB drivers for your device if needed, for Windows.
    Koush's drivers are a good bet. 'Download Windows Installer', and run:
    https://github.com/koush/UniversalAdbDriver
  2. Download the busybox-arm4vl binary. The installer will help you with this.
    You can get it manually from http://www.busybox.net, specifically from
    http://www.busybox.net/downloads/binaries/latest
    Place the binary in the files/ folder. It will be automatically renamed
    to 'busybox'.
  3. Enable USB debugging. If necessary, go to 'About device' under Settings and tap
    the Build number several times to enable the Developer options. Go back, and
    go to Developer options, and enable USB debugging there.
  4. Plug in your device to your computer.
  5. Unlock your device's lockscreen if it is locked.
  6. Manually choose a USB mode from the notification, or wait for the Installer mode
    phase of USB to end, which takes about 30 seconds. If your device does not have
    an Installer mode, skip this. If you're not sure, just wait the 30 seconds.
  7. If/when a popup appears asking for authorization for your PC, allow it.
  8. If a popup does not appear and has never appeared before, or you clicked Cancel,
    or you're just having a lot of trouble, go to Developer option and toggle USB
    debugging off and on again. Then, try again. You may need to disconnect and re-
    connect your device or tap Revoke USB authorization if nothing seems to help.
  9. On Linux or OS X, enter a terminal at the folder you extracted the zip file to,
    and type chmod +x INSTALL.sh.
  10. To run, execute INSTALL.cmd on Windows.
    On Linux or OS X, type the following in the same terminal: ./INSTALL.sh
  11. Follow the on-screen instructions.


Configuration
v0.3.2 config.txt details:
Code:
  Open up config.txt, and customize as follows, adding or removing arguments
    as you see fit. It should always start with ./root.sh
  *** ENSURE THE CONTENTS OF config.txt IS A *SINGLE LINE*.
  *** COMMENTS WITHIN config.txt ARE NOT PERMITTED.
  Default: ./root.sh --root --deknox --deota --desurveillance
  Former default: ./root.sh --root --disable-knox --disable-ota

Usage: ./root.sh [OPTION] [COMMAND]
  With no arguments, --root is implied.

  Main options
  --root, --supersu    Install SuperSU (permaroot)
  --deknox             Remove Knox (recommended)
  --deota              Remove OTA packages (recommended)
  --debloat            Remove Bloat (recommended)
  --desurveillance     Remove some surveillance (recommended)
  --disable-ota        Disable OTA update-related packages
  --disable-knox       Disable Knox packages
  --really-remove      Actually remove things instead of
                       putting them in $jaildir
  --undo               Try to undo the specified option.
                       If you had used --really-remove then
                       it won't work for deknox, debloat, deota.

  Anti-convenience options
  --no-mount-rw        Don't mount / and /system read-write
  --no-sepermissive    Don't set SEAndroid to permissive
  --no-chmod-scripts   Don't chmod 0755 all scripts in
                       $TMPDIR

  COMMAND: Command to be run after other options.
           Arguments may follow.
           If unspecified, will look for and run custom.sh.

  ex. ./root.sh --root
      ./root.sh --root --undo
      ./root.sh --root --deknox --deota --debloat
      ./root.sh cp /sdcard/build.prop /system/build.prop
[/HIDE]

Thanks To/Credits
Code:
  geohot for developing [URL="http://forum.xda-developers.com/showthread.php?t=2783157"][U]towelroot[/U][/URL], on which
    this code is DIRECTLY based! Reverse-engineered/decompiled, but not by me.
    I don't think anyone had a licensing claim on towelroot or this code so I made it GPLv3.
  fi01 for his shared [URL="https://gist.github.com/fi01/a838dea63323c7c003cd"][U]exploit code[/U][/URL] on github:
  tinyhack.com for the [URL="http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/"][U]helpful post on the Futex bug[/U][/URL]:
  chainfire, for [URL="http://forum.xda-developers.com/showthread.php?t=1538053"][U]SuperSU[/U][/URL]!
      THANK YOU for the lenient distribution policy.
  NetworkingPro at xda-developers for the assistance to all. :)
  Other folks at xda-developers for testing and offering support.
  Google, of course, and the Android Open Source Project.

Changelog & Download
A note on v0.3.2 Testing:
Code:
WARNING:  ESPECIALLY with this version, PLEASE make sure you have backups of
          your important applications and their data!
          Alternatively, you might be safer changing config.txt to the
          old value as listed below.
Code:
This version is called 'Testing' because I haven't really had time to test it
fully, and there's a bunch of new stuff, namely the de* (*-removal) scripts.

I DON'T KNOW HOW WELL THE DE* CODE WORKS. You may want to give me some time
to see how my device holds up before testing yourself, or check out
files/root.sh to see what the new stuff does, but I do need other people to
test as well, so I've changed the config.txt to include the new features,
sans --debloat.

If you DO NOT want to try the new features, change config.txt to the following:
./root.sh --root --disable-knox --disable-ota

However, even the --disable-knox and --disable-ota code has changed.
Your mileage may vary!

Search files/root.sh for ### DEBLOAT, ### DEKNOX, ### DEOTA, ## DESURVEILLANCE,
etc. to see exactly what they do.

Code:
Current changelog: [U][B][URL="http://forum.xda-developers.com/devdb/project/dl/?id=8457"]v0.3.2 [I]Testing[/I][/URL][/B][/U] (2014/09/08)
[fixed?] drowsy attempt to fix a silly bug with default modstring
[new] new default config.txt: --deknox, --deota, --desurveillance
[new] --deknox, --deota, --debloat, --desurveillance, --really-remove,
      --undo features added. See README.txt or search files/root.sh
      for ### DEBLOAT, ### DEKNOX, ### DEOTA, ## DESURVEILLANCE,
      etc. to see exactly what they do.
[change] starting to change verbage from 'phone' to 'device'
[note] v0.3.1 would have been too confusing, so straight to v0.3.2.

[U][B][URL="http://forum.xda-developers.com/devdb/project/dl/?id=8439"]Download v0.3.0.1[/URL][/B][/U] (2014/09/07)
[fixed] Issue with find.exe when other find executables are in PATH.

[URL="http://forum.xda-developers.com/devdb/project/dl/?id=8438"]v0.3.0 (2014/09/07)[/URL]
[new] License: this project is licensed under GPLv3.
[new] Added ADB binaries for Linux and Mac OS X.
[note] This means we have experimental & untested support for Intel Macs
[changed] Restructuring of post-root procedures:
   No more hard-coded commands for installing SuperSU, etc.
   These things are present in files/root.sh instead, and
     may be freely edited.
[changed] Command-line parameters have DRASTICALLY changed.
  See the README.txt.
[new] Added modstrings.txt, config.txt
[changed] Busybox no longer bundled due to licensing concerns;
  curl added for downloading busybox, instead.

Older changelogs:

Code:
v0.2.2 (2014/09/04)
Fixed INSTALL.cmd hanging when launching ADB, or not running
  properly as an administrator.
Further improved error handling, with more detailed steps for
  troubleshooting, and retries.
User acknowledgment now required for certain tasks with (Y/N).
Fixed date on previous update being in the future... Hmm...

v0.2.1 (2014/09/03)
** pulled, did not fix adb hang issue after all **

v0.2 (2014/09/03)
Code cleaned up a bit, but still gives verbose debug messages
  since they might be important. Can disable those with --brief.
Some error handling in the install script.
Everything is orchestrated from a single batch file ("one-click",
  though multiple scripts are still used internally).
Should work properly with Windows and Linux, and come
  bundled with ADB for Windows. Thanks, NetworkingPro!

v0.1 (2014/08/31)
Initial release.


LINK TO FORMER THREAD HERE

Apologies in advance for any kind of faux pas I've made or rule I've broken. There always seems to be something...

Code:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
*  GhettoRoot is free software: you can redistribute it and/or modify     *
*  it under the terms of the GNU General Public License as published by   *
*  the Free Software Foundation, either version 3 of the License, or      *
*  (at your option) any later version.                                    *
*                                                                         *
*  GhettoRoot is distributed in the hope that it will be useful,          *
*  but WITHOUT ANY WARRANTY; without even the implied warranty of         *
*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          *
*  GNU General Public License for more details.                           *
*                                                                         *
*  You should have received a copy of the GNU General Public License      *
*  along with GhettoRoot.  If not, see <http://www.gnu.org/licenses/>.    *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
 

Attachments

  • ghettoroot.zip
    2.2 MB · Views: 6,261
  • ghettoroot-v0.2.zip
    2.7 MB · Views: 2,392
  • ghettoroot-v0.2.2.zip
    2.8 MB · Views: 10,813
  • ghettoroot-v0.3.2.zip
    3.3 MB · Views: 29,259
Last edited:
Feb 4, 2014
7
0
hmmm

If I hadn't just killed my phone (perma red angry text of death) I would definitely help test. Of course you have me to thank as well. Why? Because I knew as soon as I broke my phone, or upgraded someone would come out with a root fix. So you're welcome. However there is still a good chance that the new "probably very used" replacement phone I get from Verizon will be 4.4.2 already so then I will try this out. Unless this is some sort of very cruel trick played on those of us that can't afford to upgrade our phones every other month, in which case shame on you, and I will still try it until I am blue in the face. And crying.
 
Last edited:

25yvdgpo06

Member
May 3, 2014
21
69
If I hadn't just killed my phone (perma red angry text of death) I would definitely help test. Of course you have me to thank as well. Why? Because I knew as soon as I broke my phone, or upgraded someone would come out with a root fix. So you're welcome. However there is still a good chance that the new "probably very used" replacement phone I get from Verizon will be 4.4.2 already so then I will try this out. Unless this is some sort of very cruel trick played on those of us that can't afford to upgrade our phones every other month, in which case shame on you, and I will still try it until I am blue in the face. And crying.

Nope, not a trick! My username looks a bit dubious even to me, but it was randomly generated by KeePass.
 

alkitchen

Member
May 6, 2013
26
6
I am getting, "error: device unauthorized. Please check the confirmation dialog on your device." I am not getting anything on my phone. Any thoughts?
 

TCPDump

Senior Member
May 26, 2014
402
288
Central US
Im testing this now. Will let you know in a few mins. So far, so good.

Edit: This worked like a champ for me. Root achieved. For anyone wanting to do this, please follow these steps:

  • Run clean.cmd
  • Run prepare.cmd
  • Run root.cmd

Do these in this order. I went ahead and added a pause to each batch (Except root.bat that already had one) to ensure everything was kicking off as expected. Sorry if this was outlined in the OP, but Im sort of a "D personality" and wont read a lot of fluff.

Thanks!
 
Last edited:

Matttrix

Senior Member
May 18, 2011
163
21
Seems to be running good here to ... some more fiddling and see how things go but I now have root on 4.4.2. Thanks

Update: no problems also Knox has NOT been tripped and no other issues.
 
Last edited:

akleeuw

Member
Jun 22, 2012
8
0
Worked for me!

I tried this, and it worked like a charm. So far, no issues.

Thank you!!!
 

Droc1983

Senior Member
Feb 8, 2012
68
3
I still don't have root. Not sure what went wrong. My phone restarted like it was supposed to but not root.
 

Tkun

Senior Member
Oct 10, 2010
424
49
Im testing this now. Will let you know in a few mins. So far, so good.

Edit: This worked like a champ for me. Root achieved. For anyone wanting to do this, please follow these steps:

  • Run clean.cmd
  • Run prepare.cmd
  • Run root.cmd

Do these in this order. I went ahead and added a pause to each batch (Except root.bat that already had one) to ensure everything was kicking off as expected. Sorry if this was outlined in the OP, but Im sort of a "D personality" and wont read a lot of fluff.

Thanks!

Does clean.cmd wipe all data? I only ran root.cmd and the phone rebooted like it was supposed to, but Titanium Backup doesn't register my device as rooted.
 

Tkun

Senior Member
Oct 10, 2010
424
49
It just cleans up old root files that might have been part of previous root methods, or failed attempts.

Thanks! Using your steps it worked and my phone is rooted!

Also, thanks OP for providing this solution! I was worried us 4.4.2 users would never again have root. I can finally backup and restore my apps again using Titanium Backup. :D
 
  • Like
Reactions: TCPDump

TCPDump

Senior Member
May 26, 2014
402
288
Central US
Thanks! Using your steps it worked and my phone is rooted!

Also, thanks OP for providing this solution! I was worried us 4.4.2 users would never again have root. I can finally backup and restore my apps again using Titanium Backup. :D
Glad I could help, I went ahead and read through the source code before I did it, so had a pretty good idea of what it was doing.

---------- Post added at 10:38 PM ---------- Previous post was at 10:36 PM ----------

tl;dr: This is a modified version of [basically towelroot] to work with the Verizon Galaxy Note II (SCH-I605) VRUFND7 firmware.
Currently, a PC with the Prerequisites is required. If someone wants to package this into an APK, that's great and it may remove the PC requirement.

I'm too new to be allowed to post in the developer forums (which is probably for the best), and I don't consider myself much of a developer anyway, but with a couple sleepless nights, a little bit of determination, and a lot of sugar cereal (but not enough milk!!!!), I've modded some code based on Towelroot to get the CVE-2014-3153 exploit to work with our phone and its 3.0.31 kernel. Who knows - it might work with other phones, too, but this is the only one I have right now.

WARNINGS
YOUR MILEAGE MAY VARY. THIS WILL PROBABLY VOID YOUR WARRANTY. PLEASE BACK UP IMPORTANT FILES FIRST, JUST IN CASE AND AS A GOOD PRACTICE.
Your phone will reboot after rooting which could cause data loss if any apps are in the middle of writing data, so please close open apps and wait a few moments before rooting! If your phone is just starting up, give it some time to initialize before rooting. These recommendations should be followed prior to almost any automated reboot of your phone, but particularly when rooting.
This does not flash anything, so as far as I'm aware, it will not trip KNOX but I really don't know! It DOES try to disable KNOX, which might trip it. I don't know how any of that works.
There *shouldn't* be any problems with this, but if there are, keep in mind that you made the choice to try it, knowing it's relatively untested. As of first posting of the binary, I am the only person who has tested this.

PREREQUISITES
You will need access to a computer with the following things:
  • Android SDK
  • ADB in your PATH (in platform-tools at your Android SDK install path)
  • Your phone's USB drivers
  • USB debugging enabled

INSTRUCTIONS
  1. Connect your phone to your computer.
  2. Close any active applications on your phone so you don't lose data when your phone reboots. If your phone just started, give it time to initialize.
  3. Once active apps are closed, wait 10-20 seconds or so for the phone to be done doing stuff.
  4. With that out of the way, extract the zip file if you haven't already.
  5. The procedure will execute immediately when running the scripts, so this is your last chance to back out! Do not proceed if you don't feel ready!
  6. Run root.cmd on Windows, or root.sh on Linux and maybe OS X.
  7. Allow your phone to reboot after the process, and enjoy root. Let me know if you got errors or it didn't work.
  8. This has not happened to me (or anyone else to my knowledge, since I just released this), but if it goes into a loop trying to root and keeps failing, go ahead and CTRL-C to end it, and then close the command window. If worst comes to worst, shut off your phone or pull the battery.
QUESTIONS
Q. What's the difference between this and Towelroot, then?
A. There are a few modifications to the reverse-engineered source code of Towelroot, or at least I assume that's what the code is, since Towelroot isn't open source, as far as I know. There is a github link to that source at the top of ghettoroot.c, included in the zip file. You can do a diff comparing ghettoroot.c to the github code to see exactly what I changed.

Q. And this will get me rooted, even if I have a locked bootloader?
A. Yeah. It won't unlock your bootloader, though. If you find me some info on how the previous bootloader unlocks were found and/or what they involved, I might try to look into it...

Q. You mentioned command-line options. I tried out -? or --help and saw them but it's nearly impossible to read.
A. The help is a mess, but this usage message -- to be included in a future version -- should be more...useful.
The root.sh and root.cmd scripts should pass your arguments along to the ghettoroot binary, so where you see ghettoroot in the usage message, replace with ./root.sh (be sure to chmod +x it) or root.cmd.
Code:
Usage: ghettoroot METHOD ALIGN LIMIT_OFFSET HIT_IOV EXCLUDE_FEATURE
                  USERCMD USERARGV

  All parameters are optional. The first non-number and following arguments
  will be interpreted as the user command and user arguments.

  ex. ghettoroot <-- runs with defaults, attempting to detect some settings
      ghettoroot 0 1 0 4 0 <-- standard, default root for most phones.
      ghettoroot mkdir /system/happyface <-- does everything, then that...
      ghettoroot 0 1 0 4 7 cp /sdcard/build.prop /system/build.prop
                 ^ copies a modified build.prop but does not permaroot, etc.

  Formatting key: [Default value]PARAMETER NAME: value range: description
  [0]METHOD: 0-sendmmsg, 1-recvmmsg, 2-sendmsg, 3-recvmsg:
     This typically does not need to be changed.
  [1]ALIGN: 0/1: attack all 8 IOVs hit with MAGIC
     This behavior may/may not match up with original ALIGN behavior.
     Currently, enabling this causes HIT_IOV to go unused.
  [0]LIMIT_OFFSET: 0-8192: offset of addr_limit in thread_info, multiple of 4
     If desperate, download manufacturer's kernel sources to check headers.
     Rarely necessary, but 7380 is needed for newer Samsung phone models.
  [4]HIT_IOV: 0-7: offset to rt_waiter in vulnerable futex_wait_requeue_pi.
     see vulnerable futex_wait_requeue_pi function for your kernel if needed.
  [0]EXCLUDE_FEATURE: 0-31: all features are enabled by default.
     to disable, add up the numbers for any/all of the following features:
       1  Install SuperSU
       2  Disable Knox
       4  Disable OTA Updates
       8  SEAndroid Permissive (temporary)
       16 Mount /, /system read-write (temporary)
  Example values for EXCLUDE_FEATURE:
    31 temp roots solely to run a user command, immediately after root.
       Reboot is still required.
     6 does *not* disable Knox or OTA, but installs SuperSU.
     7 does *not* disable Knox or OTA updates, or install SuperSU.
       Still remounts /, /system as rewrite and turns off SEAndroid.
       Meant to be used with a user command, or else it is pointless.

  USERCMD: Command to be run after all other enabled featuers, if any.
  USERARGV: All further arguments are passed along to the user command.
I don't know how well any of those arguments are working. You shouldn't need any of them for this phone.

Q. I think ToiletRoot would have been a better name.
A. Hmm... Me too. Oh well.

CREDITS
GeoHot, developer of Towelroot, on which this is based, and without whom it would be impossible.
Chainfire, developer of SuperSU, which is bundled.
Somebody, developer/compiler of busybox, which is bundled. To be honest I don't know where it came from. It was lying around on my PC. I know, I know... just let me know if I really need to make my life revolve around fixing political issues like this and I will try.
fi01, person on Github sharing code publicly :)

Apologies in advance for some kind of faux pas I've made or rule I've broken. There always seems to be something(s).
Where did you pick this up at? I want to go ahead and rewrite it to be more efficient later tonight, but I kind of need to know where it came from?

---------- Post added at 10:39 PM ---------- Previous post was at 10:38 PM ----------

Oh well, screw it... I'll go ahead and clean it up later.
 

25yvdgpo06

Member
May 3, 2014
21
69
Glad I could help, I went ahead and read through the source code before I did it, so had a pretty good idea of what it was doing.

---------- Post added at 10:38 PM ---------- Previous post was at 10:36 PM ----------


Where did you pick this up at? I want to go ahead and rewrite it to be more efficient later tonight, but I kind of need to know where it came from?

---------- Post added at 10:39 PM ---------- Previous post was at 10:38 PM ----------

Oh well, screw it... I'll go ahead and clean it up later.
It is the first link at the top of ghettoroot.c, fi01's cube-towel.c page. (Every page linked in ghettoroot.c was helpful.)

I am planning to clean it up a bit myself this evening, but if someone wants to repackage the entire thing and re-post to a new thread, go for it! :) Or you can wait until I clean things up a little bit and then do it... Or just not. Whatever you want to do. I'm not very concerned about who gets credit for what, though a mention of my randomly-generated name might be nice.

Thanks to those who've helped others so far, and those who've shared success/failure.

EDIT: Wanted to point out that there were very few changes from fi01's original cube-towel.c code that were necessary to get the exploit itself to work. The rest is fluffy stuff, in addition to execution of useful commands once root was gained rather than being a proof-of-concept alone.

Here is *exactly* what was changed in the exploit code. Very minimal, you will see.

Setting of processor affinity added as recommended at tinyhack.com's "Exploiting the Futex Bug and uncovering Towelroot" post, and called in main():
Code:
void setaffinity()
{
  pid_t pid = syscall(__NR_getpid);
  int mask=1;
  int syscallres = syscall(__NR_sched_setaffinity, pid, sizeof(mask), &mask);
  if (syscallres)
  {
      printf("Error in the syscall setaffinity: mask=%d=0x%x err=%d=0x%x", mask, mask, errno, errno);
      sleep(2);
      printf("This could be bad, but what the heck... We'll try continuing anyway.");
      sleep(2);
  }
}
Change to IOV code, also using tinyhack.com recommendations:
From:
Code:
	if (ph->l2 == 0) {
		for (i = 0; i < 8; i++) {
			msg_iov[i].iov_base = (void *)MAGIC;
			msg_iov[i].iov_len = MAGIC_ALT;
		}
	}
	else {
		for (i = 0; i < 8; i++) {
			msg_iov[i].iov_base = (void *)MAGIC;
			msg_iov[i].iov_len = 0x10;
		}
	}
To:
Code:
  // tbh i'm not really sure how this is supposed to look or work
  // but it is working with note 2 as is with modstring 0 1 0 4
  // and that is all i care about right now.
  // see http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/
  for (i = 0; i < 8; i++) {
    iov[i].iov_base = (void *)MAGIC;
    if (ph->align == 0) {
      if (i==ph->hit_iov) {
        iov[i].iov_len = MAGIC_ALT;
      }
      else {
        iov[i].iov_len = 0x10;
      }
    }
    else {
      iov[i].iov_len = MAGIC_ALT;
    }
  }
When searching through task structures for a credential to overwrite (to get us root), verify that the credential is in kernel address space, the same way the other pointers are verified. Otherwise, we're not in the right place in memory yet...
From:
Code:
		if (task->cpu_timers[0].next == task->cpu_timers[0].prev && (unsigned long)task->cpu_timers[0].next > KERNEL_START
		 && task->cpu_timers[1].next == task->cpu_timers[1].prev && (unsigned long)task->cpu_timers[1].next > KERNEL_START
		 && task->cpu_timers[2].next == task->cpu_timers[2].prev && (unsigned long)task->cpu_timers[2].next > KERNEL_START
		 && task->real_cred == task->cred) {
To:
Code:
		if (task->cpu_timers[0].next == task->cpu_timers[0].prev && (unsigned long)task->cpu_timers[0].next > KERNEL_START
		 && task->cpu_timers[1].next == task->cpu_timers[1].prev && (unsigned long)task->cpu_timers[1].next > KERNEL_START
		 && task->cpu_timers[2].next == task->cpu_timers[2].prev && (unsigned long)task->cpu_timers[2].next > KERNEL_START
		 && task->real_cred == task->cred && (unsigned long)task->cred > KERNEL_START) {

That's all that needed to be changed, keeping in mind none of us have seen the actual towelroot source code so some of these things may not even be necessary or may already be present there, leaving it up in the air why towelroot doesn't work for us. I would guess the IOVs were the issue, somehow, but at least with this code, the credential needed to be checked to be in kernel space as well. Did not test without setaffinity.
 
Last edited:

TCPDump

Senior Member
May 26, 2014
402
288
Central US
It is the first link at the top of ghettoroot.c, fi01's cube-towel.c page. (Every page linked in ghettoroot.c was helpful.)

I am planning to clean it up a bit myself this evening, but if someone wants to repackage the entire thing and re-post to a new thread, go for it! :) Or you can wait until I clean things up a little bit and then do it... Or just not. Whatever you want to do. I'm not very concerned about who gets credit for what, though a mention of my randomly-generated name might be nice.

Thanks to those who've helped others so far, and those who've shared success/failure.

EDIT: Wanted to point out that there were very few changes from fi01's original cube-towel.c code that were necessary to get the exploit itself to work. The rest is fluffy stuff, in addition to execution of useful commands once root was gained rather than being a proof-of-concept alone.

Here is *exactly* what was changed in the exploit code. Very minimal, you will see.

Setting of processor affinity added as recommended at tinyhack.com's "Exploiting the Futex Bug and uncovering Towelroot" post, and called in main():
Code:
void setaffinity()
{
  pid_t pid = syscall(__NR_getpid);
  int mask=1;
  int syscallres = syscall(__NR_sched_setaffinity, pid, sizeof(mask), &mask);
  if (syscallres)
  {
      printf("Error in the syscall setaffinity: mask=%d=0x%x err=%d=0x%x", mask, mask, errno, errno);
      sleep(2);
      printf("This could be bad, but what the heck... We'll try continuing anyway.");
      sleep(2);
  }
}
Change to IOV code, also using tinyhack.com recommendations:
From:
Code:
if (ph->l2 == 0) {
for (i = 0; i < 8; i++) {
msg_iov[i].iov_base = (void *)MAGIC;
msg_iov[i].iov_len = MAGIC_ALT;
}
}
else {
for (i = 0; i < 8; i++) {
msg_iov[i].iov_base = (void *)MAGIC;
msg_iov[i].iov_len = 0x10;
}
}
To:
Code:
  // tbh i'm not really sure how this is supposed to look or work
  // but it is working with note 2 as is with modstring 0 1 0 4
  // and that is all i care about right now.
  // see http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/
  for (i = 0; i < 8; i++) {
    iov[i].iov_base = (void *)MAGIC;
    if (ph->align == 0) {
      if (i==ph->hit_iov) {
        iov[i].iov_len = MAGIC_ALT;
      }
      else {
        iov[i].iov_len = 0x10;
      }
    }
    else {
      iov[i].iov_len = MAGIC_ALT;
    }
  }
When searching through task structures for a credential to overwrite (to get us root), verify that the credential is in kernel address space, the same way the other pointers are verified. Otherwise, we're not in the right place in memory yet...
From:
Code:
if (task->cpu_timers[0].next == task->cpu_timers[0].prev && (unsigned long)task->cpu_timers[0].next > KERNEL_START
 && task->cpu_timers[1].next == task->cpu_timers[1].prev && (unsigned long)task->cpu_timers[1].next > KERNEL_START
 && task->cpu_timers[2].next == task->cpu_timers[2].prev && (unsigned long)task->cpu_timers[2].next > KERNEL_START
 && task->real_cred == task->cred) {
To:
Code:
if (task->cpu_timers[0].next == task->cpu_timers[0].prev && (unsigned long)task->cpu_timers[0].next > KERNEL_START
 && task->cpu_timers[1].next == task->cpu_timers[1].prev && (unsigned long)task->cpu_timers[1].next > KERNEL_START
 && task->cpu_timers[2].next == task->cpu_timers[2].prev && (unsigned long)task->cpu_timers[2].next > KERNEL_START
 && task->real_cred == task->cred && (unsigned long)task->cred > KERNEL_START) {

That's all that needed to be changed, keeping in mind none of us have seen the actual towelroot source code so some of these things may not even be necessary or may already be present there, leaving it up in the air why towelroot doesn't work for us. I would guess the IOVs were the issue, somehow, but at least with this code, the credential needed to be checked to be in kernel space as well. Did not test without setaffinity.
I'll wait til you clean it up and then repackage. I don't care about credit either. I'll pm you my gtalk shortly.
 
  • Like
Reactions: benfikaman

empty20

Member
Jul 10, 2014
7
2
I would like to try this. I have downloaded the SDK, however I do not have any idea what the ADB step means. Basically, I have no idea what I am doing and would appreciate a little help as far as making sure I have everything that needs downloaded. Thanks.

edit: Got it figured out!
 
Last edited:

Droc1983

Senior Member
Feb 8, 2012
68
3
Having trouble with safestrap. I installed apk and ran install recovery and grant root access but it says recovery not installed in the app.
 

mlw4428

Member
Jan 7, 2008
18
5
Not working...

I'm seeing:

Unable to chmod /data/local/tmp/busybox: no such file or directory
sh: /data/local/tmp/busybox: not found
Could not find/unzip SuperSU: Success
Please place an UPDATE-SU-*.zip file in the mail folder before running the install script

Any help would be appreciated.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 44
    GhettoRoot (Towelroot port) v0.3.0.1, v0.3.2 Testing (looking for new owner)

    Code:
    *** Disclaimer
    
    This project is licensed under the GPLv3.  Bundled third-party components
    have different licenses, but these components are bundled or downloaded
    as separate executables; all appropriate LICENSE files are included, along
    with links to source code.
    
    THIS UTILITY MAKES USE OF A KERNEL EXPLOIT TO GAIN ROOT PRIVILEGES
    AND MAKE MODIFICATIONS TO YOUR DEVICE'S FILESYSTEM.  IT WILL
    PROBABLY WILL VOID YOUR WARRANTY.  IF YOU DO NOT FOLLOW THE
    INSTRUCTIONS, YOU COULD END UP WITH A BRICK.  EVEN IF YOU DO
    FOLLOW THE INSTRUCTIONS, YOU MIGHT END UP WITH A BRICK.
    
    ROOTING IS A POTENTIALLY DANGEROUS PROCESS AND, WHILE I WILL TRY
    TO HELP IF YOU HAVE TROUBLE, I CANNOT ACCEPT RESPONSIBILITY
    FOR RANDOM MISFORTUNE, COSMIC RAYS, ETC.

    Help Wanted
    My activity with this project will be diminishing. As far as I know, everything as of now "just works" with the SCH-I605, and that's all I really wanted to accomplish from the start. I'm hoping someone will take it over -- ideally someone who'd be willing to look into fixing the code to support other devices. It's open-source, so you can start looking at it now and see if you're interested. Compiling is simple... Just install the NDK and use ndk-build, or 'make' in Linux.

    If you'd like to take over the development, and you've worked on projects like this before, I'd greatly appreciate it; perhaps we can get a mod to transfer this thread to you, or you're free to start a new one. After a certain point, I'll stop monitoring threads and messages, so you're free to go ahead and take charge without waiting to hear from me, if you'd like.

    Post elsewhere, if you'd like, to let people know that this code is available and might be adjustable for other devices. It really shouldn't be difficult for someone with a background with this stuff.

    Problematic areas are likely the iov code (search "Not sure if this is entirely correct") and also the limit_offset stuff (search "ph->limit_offset != 0"), but I have no way of knowing for sure if there's anything wrong with limit_offset since I don't have an applicable Samsung device. There are scattered references to the sources I used to figure out some of this in the README and in ghettoroot.c itself.

    That's all, folks. Thanks.


    Introduction
    This is an automatic root method for your Note 2 (or, potentially, other device) based on code for the CVE-2014-3153 exploit.Unlike towelroot, it is a tethered root in that it requires you to connect your device to a computer to perform the root. However, it only requires a computer the one time; root sticks.

    This code appears to have been reverse-engineered from towelroot itself (but not the latest version), so Geohot gets the credit for this one. This is more like a bugfix which only works (for sure) with the Verizon Galaxy Note II so far. The changes from the towelroot-equivalent exploit code are incredibly minimal. Only a few lines of code need really be changed to get it working, but devices incompatible with towelroot are becoming ghetto, so there wasn't a lot of motivation for the problems to be investigated.

    GhettoRoot attempts to walk you through the prerequisites for the rooting process and give you hints if there are problems; it does the dirty work itself.


    Installation instructions
    Please see the LICENSE file for details on copying and usage (GPLv3).

    This software will attempt to root your device and might void its warranty.
    Please BACK UP ANYTHING IMPORTANT before continuing.

    Note: By default, v0.3.0.1 attempts to disable Knox and OTA update packages.
    If you'd rather this not happen, scroll to CONFIGURATION.

    1. Install USB drivers for your device if needed, for Windows.
      Koush's drivers are a good bet. 'Download Windows Installer', and run:
      https://github.com/koush/UniversalAdbDriver
    2. Download the busybox-arm4vl binary. The installer will help you with this.
      You can get it manually from http://www.busybox.net, specifically from
      http://www.busybox.net/downloads/binaries/latest
      Place the binary in the files/ folder. It will be automatically renamed
      to 'busybox'.
    3. Enable USB debugging. If necessary, go to 'About device' under Settings and tap
      the Build number several times to enable the Developer options. Go back, and
      go to Developer options, and enable USB debugging there.
    4. Plug in your device to your computer.
    5. Unlock your device's lockscreen if it is locked.
    6. Manually choose a USB mode from the notification, or wait for the Installer mode
      phase of USB to end, which takes about 30 seconds. If your device does not have
      an Installer mode, skip this. If you're not sure, just wait the 30 seconds.
    7. If/when a popup appears asking for authorization for your PC, allow it.
    8. If a popup does not appear and has never appeared before, or you clicked Cancel,
      or you're just having a lot of trouble, go to Developer option and toggle USB
      debugging off and on again. Then, try again. You may need to disconnect and re-
      connect your device or tap Revoke USB authorization if nothing seems to help.
    9. On Linux or OS X, enter a terminal at the folder you extracted the zip file to,
      and type chmod +x INSTALL.sh.
    10. To run, execute INSTALL.cmd on Windows.
      On Linux or OS X, type the following in the same terminal: ./INSTALL.sh
    11. Follow the on-screen instructions.


    Configuration
    v0.3.2 config.txt details:
    Code:
      Open up config.txt, and customize as follows, adding or removing arguments
        as you see fit. It should always start with ./root.sh
      *** ENSURE THE CONTENTS OF config.txt IS A *SINGLE LINE*.
      *** COMMENTS WITHIN config.txt ARE NOT PERMITTED.
      Default: ./root.sh --root --deknox --deota --desurveillance
      Former default: ./root.sh --root --disable-knox --disable-ota
    
    Usage: ./root.sh [OPTION] [COMMAND]
      With no arguments, --root is implied.
    
      Main options
      --root, --supersu    Install SuperSU (permaroot)
      --deknox             Remove Knox (recommended)
      --deota              Remove OTA packages (recommended)
      --debloat            Remove Bloat (recommended)
      --desurveillance     Remove some surveillance (recommended)
      --disable-ota        Disable OTA update-related packages
      --disable-knox       Disable Knox packages
      --really-remove      Actually remove things instead of
                           putting them in $jaildir
      --undo               Try to undo the specified option.
                           If you had used --really-remove then
                           it won't work for deknox, debloat, deota.
    
      Anti-convenience options
      --no-mount-rw        Don't mount / and /system read-write
      --no-sepermissive    Don't set SEAndroid to permissive
      --no-chmod-scripts   Don't chmod 0755 all scripts in
                           $TMPDIR
    
      COMMAND: Command to be run after other options.
               Arguments may follow.
               If unspecified, will look for and run custom.sh.
    
      ex. ./root.sh --root
          ./root.sh --root --undo
          ./root.sh --root --deknox --deota --debloat
          ./root.sh cp /sdcard/build.prop /system/build.prop
    [/HIDE]

    Thanks To/Credits
    Code:
      geohot for developing [URL="http://forum.xda-developers.com/showthread.php?t=2783157"][U]towelroot[/U][/URL], on which
        this code is DIRECTLY based! Reverse-engineered/decompiled, but not by me.
        I don't think anyone had a licensing claim on towelroot or this code so I made it GPLv3.
      fi01 for his shared [URL="https://gist.github.com/fi01/a838dea63323c7c003cd"][U]exploit code[/U][/URL] on github:
      tinyhack.com for the [URL="http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/"][U]helpful post on the Futex bug[/U][/URL]:
      chainfire, for [URL="http://forum.xda-developers.com/showthread.php?t=1538053"][U]SuperSU[/U][/URL]!
          THANK YOU for the lenient distribution policy.
      NetworkingPro at xda-developers for the assistance to all. :)
      Other folks at xda-developers for testing and offering support.
      Google, of course, and the Android Open Source Project.

    Changelog & Download
    A note on v0.3.2 Testing:
    Code:
    WARNING:  ESPECIALLY with this version, PLEASE make sure you have backups of
              your important applications and their data!
              Alternatively, you might be safer changing config.txt to the
              old value as listed below.
    Code:
    This version is called 'Testing' because I haven't really had time to test it
    fully, and there's a bunch of new stuff, namely the de* (*-removal) scripts.
    
    I DON'T KNOW HOW WELL THE DE* CODE WORKS. You may want to give me some time
    to see how my device holds up before testing yourself, or check out
    files/root.sh to see what the new stuff does, but I do need other people to
    test as well, so I've changed the config.txt to include the new features,
    sans --debloat.
    
    If you DO NOT want to try the new features, change config.txt to the following:
    ./root.sh --root --disable-knox --disable-ota
    
    However, even the --disable-knox and --disable-ota code has changed.
    Your mileage may vary!
    
    Search files/root.sh for ### DEBLOAT, ### DEKNOX, ### DEOTA, ## DESURVEILLANCE,
    etc. to see exactly what they do.

    Code:
    Current changelog: [U][B][URL="http://forum.xda-developers.com/devdb/project/dl/?id=8457"]v0.3.2 [I]Testing[/I][/URL][/B][/U] (2014/09/08)
    [fixed?] drowsy attempt to fix a silly bug with default modstring
    [new] new default config.txt: --deknox, --deota, --desurveillance
    [new] --deknox, --deota, --debloat, --desurveillance, --really-remove,
          --undo features added. See README.txt or search files/root.sh
          for ### DEBLOAT, ### DEKNOX, ### DEOTA, ## DESURVEILLANCE,
          etc. to see exactly what they do.
    [change] starting to change verbage from 'phone' to 'device'
    [note] v0.3.1 would have been too confusing, so straight to v0.3.2.
    
    [U][B][URL="http://forum.xda-developers.com/devdb/project/dl/?id=8439"]Download v0.3.0.1[/URL][/B][/U] (2014/09/07)
    [fixed] Issue with find.exe when other find executables are in PATH.
    
    [URL="http://forum.xda-developers.com/devdb/project/dl/?id=8438"]v0.3.0 (2014/09/07)[/URL]
    [new] License: this project is licensed under GPLv3.
    [new] Added ADB binaries for Linux and Mac OS X.
    [note] This means we have experimental & untested support for Intel Macs
    [changed] Restructuring of post-root procedures:
       No more hard-coded commands for installing SuperSU, etc.
       These things are present in files/root.sh instead, and
         may be freely edited.
    [changed] Command-line parameters have DRASTICALLY changed.
      See the README.txt.
    [new] Added modstrings.txt, config.txt
    [changed] Busybox no longer bundled due to licensing concerns;
      curl added for downloading busybox, instead.

    Older changelogs:

    Code:
    v0.2.2 (2014/09/04)
    Fixed INSTALL.cmd hanging when launching ADB, or not running
      properly as an administrator.
    Further improved error handling, with more detailed steps for
      troubleshooting, and retries.
    User acknowledgment now required for certain tasks with (Y/N).
    Fixed date on previous update being in the future... Hmm...
    
    v0.2.1 (2014/09/03)
    ** pulled, did not fix adb hang issue after all **
    
    v0.2 (2014/09/03)
    Code cleaned up a bit, but still gives verbose debug messages
      since they might be important. Can disable those with --brief.
    Some error handling in the install script.
    Everything is orchestrated from a single batch file ("one-click",
      though multiple scripts are still used internally).
    Should work properly with Windows and Linux, and come
      bundled with ADB for Windows. Thanks, NetworkingPro!
    
    v0.1 (2014/08/31)
    Initial release.


    LINK TO FORMER THREAD HERE

    Apologies in advance for any kind of faux pas I've made or rule I've broken. There always seems to be something...

    Code:
    * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
    *  GhettoRoot is free software: you can redistribute it and/or modify     *
    *  it under the terms of the GNU General Public License as published by   *
    *  the Free Software Foundation, either version 3 of the License, or      *
    *  (at your option) any later version.                                    *
    *                                                                         *
    *  GhettoRoot is distributed in the hope that it will be useful,          *
    *  but WITHOUT ANY WARRANTY; without even the implied warranty of         *
    *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          *
    *  GNU General Public License for more details.                           *
    *                                                                         *
    *  You should have received a copy of the GNU General Public License      *
    *  along with GhettoRoot.  If not, see <http://www.gnu.org/licenses/>.    *
    * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
    42
    GhettoRoot - All-In-One

    Everyone, please use this .zip from now on. Please test, and let me know how it goes. I have simplifed the root be a single click root method.

    Steps:
    1. Download and unzip file.
      [*]Connect phone, ensure usb debugging is on, and device is authorized.
      [*]Double click GhettoRoot.bat

    Download - View attachment GhettoRoot.zip

    In full disclosure I have no idea where the source for this came from, I just made it pretty, and tried to make it super easy. Credit goes to 25yvdgpo06 for finding it. This root very well may work any many other devices, including other Samsung devices. Looking at the source I dont see anything that should hurt another device. Worst case scenario it simply doesn't root it. Please let us know if you try another device with success.
    14
    Confirmed Working Root For Stock 4.4.2 - ND7

    Can someone please sticky this???
    Just wanted to share this with everyone since I had a hard time finding a working version of Ghettoroot for the latest Verizon Note 2 OTA ND7 update. For some reason the adb.exe was not the right one. I hope this helps everyone. I take no credit in the creation, I just fixed it so that it is easier for others to root a brand new phone.
    4
    We're on ND7. Ghettoroot utilizes an exploit in the ND7 bootloader. If you're not on ND7, it won't work.

    ---------- Post added at 08:14 PM ---------- Previous post was at 07:55 PM ----------

    Well, I've come to accept it. Our beloved Note 2 has gone the way of the cavemen and is now considered "old". It appears that the dev's are neither willing nor interested enough to put in the work it will take to unlock the bootloader on this "archaic" device. This news comes as a supreme disappointment. I've only had this phone for 2 years, and considering all the new features it possessed and the hefty price tag, I had expected it to last at least 5. I guess that's just technology for you, 6 months and it's obsolete. However, some of us can't afford a new device every 6 months. I would be willing to bet most of us. Aside from the dev's apparently. So thank you, for all the "hard work" you won't be putting into it. When I do buy a new device, I won't be coming here. A word of advice to anyone reading, DO NOT ACCEPT THE OTA UPDATES. Ever. Once the work is done to root/unlock and a new batch of devices comes out, you will undoubtedly be in the same boat. Oddly, even sizable bounties posted here aren't enough incentive.

    Don't be so over dramatic! enjoy your new stock phone. THe developers take their OWN time to do all this work & don't get paid for it. If you're rooted why do you need an unlocked bootloader? Xposed will let you do just about everything that is in most of the roms you want to flash with more freedom to customize the rom the way you want. No one owes you anything & if you need your bootloader unlocked that bad learn how to do it yourself...
    3
    If I hadn't just killed my phone (perma red angry text of death) I would definitely help test. Of course you have me to thank as well. Why? Because I knew as soon as I broke my phone, or upgraded someone would come out with a root fix. So you're welcome. However there is still a good chance that the new "probably very used" replacement phone I get from Verizon will be 4.4.2 already so then I will try this out. Unless this is some sort of very cruel trick played on those of us that can't afford to upgrade our phones every other month, in which case shame on you, and I will still try it until I am blue in the face. And crying.

    Nope, not a trick! My username looks a bit dubious even to me, but it was randomly generated by KeePass.