Root is coming I think! Look Here

Search This thread

Stoffl_

Senior Member
Jan 18, 2007
836
193
Recently ordered a 4th gen 2014 HD 7 because they're currently on sale.
I mean who can say no to a quadcore 7" IPS tablet for 79€. :)

Eagerly awaiting a possible root to install google play store / services.

#Subscribed
 

Ado40

Member
Dec 27, 2014
7
0
I've found a links (that i can't put because I don't have enought post) in How to root.club for root The fire HD7

Someone have test?
 

tarvoke

Senior Member
Mar 8, 2011
161
50
Slightly Outside America
I've found a links (that i can't put because I don't have enought post) in How to root.club for root The fire HD7
Someone have test?

it's a lot more likely to be the software for the previous 2013/3rd-gen "Kindle Fire 7", not for 2014/4gen "Fire HD 7". at best, it simply won't work. but there is a good chance it could also brick a 4th-gen Fire HD. I would very much hesitate to try it. but if you can post the links it would be interesting to look...
 

apatcas

Senior Member
May 25, 2007
614
158
Seems like someone got some free tablets... send me some i'll work on getting this rooted also
 

mrkhigh

Senior Member
Dec 6, 2012
1,877
607
Google Pixel 2
Google Pixel 3
Locked boot loader means no recovery to flash su. As for root exploits it's not just this device, it is all new devices. Unless a Dev shows special interest in this device we will be waiting for the next mass exploit such as towel root etc.

Sent from my XT907 using XDA Free mobile app
 
  • Like
Reactions: tarvoke

blackwat3r

Member
Apr 21, 2015
14
5
Locked boot loader means no recovery to flash su. As for root exploits it's not just this device, it is all new devices. Unless a Dev shows special interest in this device we will be waiting for the next mass exploit such as towel root etc.

Sent from my XT907 using XDA Free mobile app

perhaps we get lucky and something like CVE-2014-7953 that just got disclosed works

details:

Android backup agent arbitrary code execution
---------------------------------------------

The Android backup agent implementation was vulnerable to privilege
escalation and race condition. An attacker with adb shell access could
run arbitrary code as the system (1000) user (or any other valid
package). The attack is tested on Android OS 4.4.4.


The main problem is inside bindBackupAgent method in the
ActivityManagerService.
This method is exported through Binder and is available to call by the
shell user, since android.permission.BACKUP is granted for it.

The method has an ApplicationInfo parameter, which is unsecured (not
cross validated through the PackageManager), so the uid member could be
manipulated. The supplied ApplicationInfo object will be direct
parameter for startProcessLocked().

Before invoking startProcessLocked, bindBackupAgent also tries to set
stopped state for the package.
This call is bound to an additional permission
(CHANGE_COMPONENT_ENABLED_STATE), which is a system permission, not even
shell user got it.

However, there is a race condition between PackageManager and
ActivityManagerService, so this security check can by bypassed.

Existence of the specified package happens first in
mSettings.setPackageStoppedStateLPw(). If the package does not exists
than IllegalArguemntException is thrown. (Permission would have been
validated as next step only resulting in a SecurityException)

So, if the package does not exists, IllegalArguemntException is thrown,
which is catched by bindBackupAgent, but the execution wont stop (only a
warning is being logged):

// Backup agent is now in use, its package can't be stopped.
try {
AppGlobals.getPackageManager().setPackageStoppedState(
app.packageName, false,
UserHandle.getUserId(app.uid));
} catch (RemoteException e) {
} catch (IllegalArgumentException e) {
Slog.w(TAG, "Failed trying to unstop package "
+ app.packageName + ": " + e);
}


It was possible to perform the following steps in order to exploit:

1. execute "pm install helloworld.apk" (with package name
com.example.helloworld)

2. with another script process logcat's output and look for
the dexopt line (DexOpt: load 3ms, verify+opt 5ms, 161068 bytes)

3. trigger execution of the bindBackupAgent system call (with uid
spoofed to 1000 in ApplicationInfo) as soon as the dexopt line was seen


Since this is a race condition and timing is important, it might not
work at first. I was lucky at 3rd attempt.

In this lucky scenario the package did not exists while
setPackageStoppedStateLPw tried to find it, but then it became available
for startPackageLocked.

At this point a new process was forked by the Zygote:


shell () grouper:/ $ ps |grep hello
ps |grep hello
system 6826 141 692340 17312 ffffffff 00000000 S
com.example.helloworld


No code was executed however, since there exists an additional security
check in handleCreateBackupAgent in the ActivityThread:

PackageInfo requestedPackage =
getPackageManager().getPackageInfo(
data.appInfo.packageName, 0, UserHandle.myUserId());
if (requestedPackage.applicationInfo.uid != Process.myUid()) {
Slog.w(TAG, "Asked to instantiate non-matching package "
+ data.appInfo.packageName);
return;
}


But the process com.example.helloserver was executed with debug flags
(due to the simple fact that it was built by us and we built it as
debug) so DDMS could be attached to it.

To verify actual code execution, I added
Runtime.getRuntime().exec("touch /data/app/testSystem")
as an expression in the debugger to be evaluated by the process.

The command was executed successfully:

shell () grouper:/data/app $ ls -la testSystem
ls -la testSystem
-rw------- system system 0 2014-08-06 01:52 testSystem


13 byte bugfix for all the above in the version control:
hxxps://android.googlesource.com/platform/frameworks/base/+/a8f6d1b%5E!/

Lollipop is not affected, earlier Android versions are.


Tested on: Android 4.4.4:
Reported on: 2014-08-15
Assigned CVE: CVE-2014-7951
Android bug id: 15829193
Discovered by: Imre Rad / Search-Lab Ltd.
 

EncryptedCurse

Senior Member
Jul 9, 2014
650
301
Locked boot loader means no recovery to flash su. As for root exploits it's not just this device, it is all new devices. Unless a Dev shows special interest in this device we will be waiting for the next mass exploit such as towel root etc.

Sent from my XT907 using XDA Free mobile app

Installing superuser access doesn't necessarily require a recovery. Either way, the locked bootloader is still circumventable by something like Safestrap.
 

ponghclub

Senior Member
Dec 13, 2011
115
18
Hi.......new here just bought fire hd7 still playing with it.....need to ask expert afew question......how to sideload app to it? I can't find IP address anywhere ..…can we root this device yet? any help I appreciated. Thanks
 
Last edited:
This forum sums it up. No root yet. Side loading works for most apps. Personally I have used some alternate market apps and setting up a samba server using es to connect. Its a pretty nice little tablet but its missing that Google substance.

Sent from my T0LTE using XDA Free mobile app
 

ponghclub

Senior Member
Dec 13, 2011
115
18
This forum sums it up. No root yet. Side loading works for most apps. Personally I have used some alternate market apps and setting up a samba server using es to connect. Its a pretty nice little tablet but its missing that Google substance.

Sent from my T0LTE using XDA Free mobile app
Thank you....I did some research at xda forum there are a lot of information to make me like fire hd7 more.....still work on it look like fun device....screen and hardware are great.
 

AndroidGraphix

Senior Member
Apr 4, 2011
1,266
377
Paradise Valley, AZ
Finally side-loaded Google Movies!

I'm happy with at least Google Movies. I couldn't side-load anything else but at least now my kids can watch movies on this. I hope root comes soon. I can't stand these ads and I don't feel like paying 15.00 per tablets. I'd rather pay someone 30 bucks to root the tablet as a bounty, lol.
 

mgalyean

New member
Feb 22, 2015
2
0
Possible route to progress? wpa_supplicant buffer overrun

I wonder if the recently uncovered buffer overrun in Android wpa_supplicant when in p2p / wifi direct mode could be leveraged to get root. My hd6 hasn't received an update since it was announced and I turned off wifi to prevent one just in case someone can leverage this new vulnerability to allow owner rooting. I'd think it would involve using an app that enabled p2p along with a rooting apk and that one would have to be careful to make sure a patch didn't come down from Amazon when wifi was turned on to run the root. You can bet that a patch will be coming down to close this very soon.

nakedsecurity sophos com/2015/04/24/wi-fi-security-software-chokes-on-network-names-opens-potential-hole-for-hackers/
 

Top Liked Posts