Root Exploit

[xsacha]

Hey guys,
I was looking at the newly patched (for 4.4.3) exploit.
It is patched in our .402 firmware but is exploitable in .69.


Update: Exploit is released, see primary thread: http://forum.xda-developers.com/showthread.php?t=2781109



-----------------------------------------------------------------------------------------
With it me and a friend have managed to take out SELinux:

[email protected]:/data/local/tmp $ getenforce                                      
Permissive

Edit: And now, my device is rooted! Sweet Time to backup TA.

Edit#2

I/sh (12494): I am running as..
I/sh (12494): uid=0(root) gid=0(root) context=u:r:vold:s0
I/sh (12494): Backing up TA..
I/sh (12494): lrwxrwxrwx root root 1970-03-20 09:35 TA -> /dev/block/mmcblk0p1
I/sh (12494): 4096+0 records in
I/sh (12494): 4096+0 records out
I/sh (12494): 2097152 bytes transferred in 0.065 secs (32263876 bytes/sec)
I/sh (12494): Created /data/local/tmp/TA.img -- Checking MD5..
I/sh (12494): 215c7526bb9abea4ae6363c25987bbd0 /dev/block/platform/msm_sdcc.1/by-name/TA
I/SemcPhoneInterfaceManager(12500): QcSemcService is connected.
I/sh (12494): 215c7526bb9abea4ae6363c25987bbd0 /data/local/tmp/TA.img

 

[SANGER_A2]

WOW! this is the most exciting news on this forum yet! Do you have a link to a guide for this exploit?

Sent from my MI 2S using Tapatalk

 

[xsacha]

I would really like to make it a simple process. Right now it is *VERY* ugly!
You have to take out selinux and then replace some files (specific to .69) that let you run root commands from a bash file.

Right now it's just a collection of scripts, an apk and a tar.gz. No checks at all to make sure they are being run correctly.

From what I can tell, this method I am using will work for ALL phones using Android 4.4.2 (unpatched) or earlier.
Although it is using Sony files for the exploit for no other reason than I only cared about rooting my device.

 

[SANGER_A2]

Nice. Hope you can get it polished enough to share soon! Maybe ask for donations too. I'm ordering one soon and I would love root without killing my warranty.

Sent from my MI 2S using Tapatalk

 

[xsacha]

Nice. Hope you can get it polished enough to share soon! Maybe ask for donations too. I'm ordering one soon and I would love root without killing my warranty.

Is this good enough?

https://mega.co.nz/#!zBZVnDTZ!tajRYy0F3_lgYDITHlqj3UTPv3bDiEQBUW-bj6JqMKQ

 

[SANGER_A2]

Is this good enough?

https://mega.co.nz/#!zBZVnDTZ!tajRYy0F3_lgYDITHlqj3UTPv3bDiEQBUW-bj6JqMKQ

Cool. Can't wait to try it out. Will be a while as I'm not ordering the tablet for about a week. I'm fine with linux, but ADB looks like a complete PITA to install on it, plus having to mess around configuring the USB to talk to the tablet. I've used ADB lots on Windows with no issues and will probably run the commands from there instead. I don't quite understand the "&& \" at the end of each adb command. Is that needed if using ADB in windows?

I'm trying to figure out how it all works and I can understand most of what you have done. I assume the exploit.apk gives su. Is this temporary until a reboot or permanent? And does it mean we have to have the app installed permanently or can it be uninstalled afterwards? Then, you copy and make the scripts & binaries executable. But you don't seem to run the scripts? Do the scripts need to be run on the device in a terminal emulator to backup the TA partition and mount the new volume with vold?

 

[star85]

Damn, already updated to .402. Is there anyway to go back to .69?
Greato work btw.

 

[xsacha]

Damn, already updated to .402. Is there anyway to go back to .69?
Greato work btw.

Yes, just flash .69. I was on .402 as well and found the exploit patched.

Cool. Can't wait to try it out. Will be a while as I'm not ordering the tablet for about a week. I'm fine with linux, but ADB looks like a complete PITA to install on it, plus having to mess around configuring the USB to talk to the tablet. I've used ADB lots on Windows with no issues and will probably run the commands from there instead. I don't quite understand the "&& \" at the end of each adb command. Is that needed if using ADB in windows?

I'm trying to figure out how it all works and I can understand most of what you have done. I assume the exploit.apk gives su. Is this temporary until a reboot or permanent? And does it mean we have to have the app installed permanently or can it be uninstalled afterwards? Then, you copy and make the scripts & binaries executable. But you don't seem to run the scripts? Do the scripts need to be run on the device in a terminal emulator to backup the TA partition and mount the new volume with vold?

There was absolutely zero configuration on my Linux distro. In Ubuntu, adb comes in the repos. You don't need drivers on Linux because they are detected as usbnet by default. It literally just works out of the box.

The "&& \" is actually for bash. The && only continues if the previous command succeeds. The \ breaks to next line.
On Windows, you'd use a caret (^) instead of a backslash.

The exploit.apk is used to deploy a shared library owned by system because when a system app tries to load its library, it needs to be owned by system and this is the only way I know how to achieve that.
The exploit is all in vdc (a shell command), which allows us to overwrite files anywhere on the system. So in this instance, ServiceMenu is used. Its library is overwritten with one from exploit.apk. The library simply turns off selinux and then runs whatever is in 'log.command' prop which is in this instance, a shell script. In the script it continues on to the root.
Basically: All apps have system libraries but they can't execute system code unless a system app runs it. System user can turn off selinux. Turning off selinux is required to run as root.

Yes, the scripts get run indirectly. You don't run them yourself because you are only a mere shell user. Vold is not used for anything. It's simply the vehicle for running as root.

 

[Uclydde]

Sonny, you win the internets. If I had donation money it would go straight to you.

 

[SANGER_A2]

Thanks for the explanation Sacha. Can't wait to try it. So this let's us backup TA. Does it also provide permanent root or do we still need to unlock the bootloader and break the warranty to get that?

I'll have a play putting adb on Linux tonight. All the guides I found were pretty old!

Sent from my MI 2S using Tapatalk

 

[xsacha]

Thanks for the explanation Sacha. Can't wait to try it. So this let's us backup TA. Does it also provide permanent root or do we still need to unlock the bootloader and break the warranty to get that?

I'll have a play putting adb on Linux tonight. All the guides I found were pretty old!

Sent from my MI 2S using Tapatalk

Definitely not permanent. Resets on reboot.

I couldn't find anywhere to stick the su binary. /system can't be remounted rw by root. All the other partitions don't let me setuid. If anyone knows where to stick, that would be appreciated.

Afaik unlocking bootloader shouldn't void warranty? Isn't that one of the reasons for TA. When we flash it back, warranty is valid again?

 

[ranf]

Thanks for the explanation Sacha. Can't wait to try it. So this let's us backup TA. Does it also provide permanent root or do we still need to unlock the bootloader and break the warranty to get that?

I'll have a play putting adb on Linux tonight. All the guides I found were pretty old!

If your distro doesn't have it in the repos just download and install the official Android SDK. There you only install the "platform-tools".

 

[fleckdalm]

Thank you very much for this, that's really great news!! As soon as I have time and found out how to flash back to .69 I will try it out. Is there a way to donate to you for your work?

Nevertheless if I understood it right, this persists only until a reboot so if I root it and then update back to .402 it will be gone, so there is no way to have root on .402 with locked bootloader?

Or is it possible to root and backup ta, flash .402 restore ta and lock bootloader AND keep root? That would be awesome!

Thanks
Fleckdalm

 

[xsacha]

Thank you very much for this, that's really great news!! As soon as I have time and found out how to flash back to .69 I will try it out. Is there a way to donate to you for your work?

Nevertheless if I understood it right, this persists only until a reboot so if I root it and then update back to .402 it will be gone, so there is no way to have root on .402 with locked bootloader?

I guess you can donate if you want I didn't put much time in to this and I didn't discover the Android exploit. Most my projects (like Dingleberry for rooting) have a full UI and everything. I have a donate link on my blog: http://www.qtness.com/blog/

That's correct. if you upgrade to 402, you will not be able to do it. It's a tethered root but being able to backup TA means you can unlock bootloader and lock it again with everything preserved.

 

[fleckdalm]

I guess you can donate if you want I didn't put much time in to this and I didn't discover the Android exploit. Most my projects (like Dingleberry for rooting) have a full UI and everything. I have a donate link on my blog: http://www.qtness.com/blog/

That's correct. if you upgrade to 402, you will not be able to do it. It's a tethered root but being able to backup TA means you can unlock bootloader and lock it again with everything preserved.

Yeah I will support your good work!

So that means I can flash 69 using flash tool and backup ta using your script, then i can flash 402, unlock bootloader, flash cwm and root? But how should I continue then? How can I relock bootloader and restore ta? And are you sure that root and cwm isn't lost during this process? Is there really no way to find out if bootloader was unlocked after doing this (for warranty reasons)? Has somebody successfully tried out this procedure?

Oh and an other problem, I can't find a 69 ftf anywhere for the Wifi only model sgp511?

BTW I have just donated to you

 

[xsacha]

Yeah I will support your good work!

So that means I can flash 69 using flash tool and backup ta using your script, then i can flash 402, unlock bootloader, flash cwm and root? But how should I continue then? How can I relock bootloader and restore ta? And are you sure that root and cwm isn't lost during this process? Is there really no way to find out if bootloader was unlocked after doing this (for warranty reasons)? Has somebody successfully tried out this procedure?

Oh and an other problem, I can't find a 69 ftf anywhere for the Wifi only model sgp511?

BTW I have just donated to you

For the bootloader locking questions, I'm not the best to ask. I am asking about warranty myself on another thread. This is my first sony device so not sure how they operate.

Don't know. I use sgp521.
Technically anything before firmware .402 should work.

 

[nos1609]

Success!

xsacha, GREAT work!
Successfuly unlocked my bootloader and restored DRM keys! Thanks a lot! really appreciate your work:good:

And about the warranty: if you lock the bootloader before bringing the device to the service center the won't be able to find any traces of bootloader unlock! So with your help we don't need to void our warranty.

 

[fleckdalm]

xsacha, GREAT work!
Successfuly unlocked my bootloader and restored DRM keys! Thanks a lot! really appreciate your work:good:

So you have done it like this?
flash 69 using flash tool and backup ta using the script, then flash 402, unlock bootloader, flash cwm and root.

But how should I continue then? How can I relock bootloader and restore ta?

 

[nos1609]

But how should I continue then? How can I relock bootloader and restore ta?

Just put the backup on your INTERNAL sdcard and then from adb under su type: "dd if=/sdcard/TA.img of=/dev/block/platform/msm_sdcc.1/by-name/TA"

 

[fleckdalm]

Just put the backup on your INTERNAL sdcard and then from adb under su type: "dd if=/sdcard/TA.img of=/dev/block/platform/msm_sdcc.1/by-name/TA"

Thanks! I will try it out as soon as I get a 69 ftf for my model...