[ROOT][JB] New Easy Root Method For Jellybean

[captaincrook]

I present you all with a new root method provided by the the immaculate jcase. Rooting with this is fairly simple and the only requirement is that you have Jellybean for your device. This has proven to work with a variety of phones on Jellybean, with ICS turning up no rooted results. Thus, you must (!!) have Jellybean on your device.

NOTE: The latest T-Mobile USA OTA update (ver. 20F) is confirmed to still work with this method.

This has proven to work on a variety of phones across the P76* line including:

P769

Phones with the Canada WindMobile ROM

P768e

P768

P760


DO NOT THANK ME. INSTEAD THANK JCASE, WHO DID ALL THE WORK. I'M JUST A PARROT. BAWK.


-----

STEP 1

First, we must make sure you have spritebud. No it isn't a soda/beer mix! You can check for this either via ADB or through the app Terminal Emulator. Unhide the code for your selected method.

ADB:

adb shell ls -l /system/xbin/spritebud

Terminal Emulator:

ls -l /system/xbin/spritebud

If you get any error message along the lines of "no such file or directory", then you my friend are unable to root. Otherwise, you should be presented with information about spritebud, and that is your golden ticket to root.


STEP 2

Now that you know whether or not you are able to root, let us carry on for those who can.

I have written a thin guide on achieving root based on the steps that jcase has provided. They are as follows:

Download LGPwn.apk attached to this post
Install LGPwn.apk on your device
Launch LGPwn
READ popup message
Press "root me" to carry on the next part

When Backup has launched, choose Restore
Choose Internal storage
Choose LGPwn
Hit OK at the popup about Cross Model Restore
Make sure the Applications checkbox is checked, then select Continue
Let the app finish the restoring process[/code]

STEP 3

Once your decive has finished the restore process, you may ither reboot your phone from the current screen, or you may immediately head to the Play Store. Whichever choice you make, your next step is to download SuperSu from the Play Store and install it. When prompted, select normal install, and you sohuld be good to go with regards to root.

Congratulations! New root get!



---


APK Link: http://malware.asia/LGPwn.apk[/strike]

Original post: http://forum.xda-developers.com/showthread.php?p=42938989#post42938989

Github

Original post quoted:

Subject:
Race condition in Sprite Software's backup software, installed by OEM on LG Android devices.

Author:
Justin Case - [email protected]

CVE ID:
CVE-2013-3685

Effect:
Locally exploited vulnerability with minimal device user interaction which results in executing code as the root user. Under specific circumstances, it is possible to exploit this vulnerability without the device user's knowledge

Products:
"Backup"
"spritebud"

Vendors:
Sprite Software
LG Electronics
Potentially other vendors

Affected Versions:
spritebud 1.3.24
backup 2.5.4105
Likely others versions as well

Affected Devices (Subject to firmware configuration):
LG-E971 LG Optimus G
LG-E973 LG Optimus G
LG-E975 LG Optimus G
LG-E975K LG Optimus G
LG-E975T LG Optimus G
LG-E976 LG Optimus G
LG-E977 LG Optimus G
LG-F100K LG Optimus Vu
LG-F100L LG Optimus Vu
LG-F100S LG Optimus Vu
LG-F120K LG Optimus Vu
LG-F120L LG Optimus LTE Tag
LG-F120S LG Optimus LTE Tag
LG-F160K LG Optimus LTE 2
LG-F160L LG Optimus LTE 2
LG-F160LV LG Optimus LTE 2
LG-F160S LG Optimus LTE 2
LG-F180K LG Optimus G
LG-F180L LG Optimus G
LG-F180S LG Optimus G
LG-F200K LG Optimus Vu 2
LG-F200L LG Optimus Vu 2
LG-F200S LG Optimus Vu 2
LG-F240K LG Optimus G Pro
LG-F240L LG Optimus G Pro
LG-F240S LG Optimus G Pro
LG-F260K LG Optimus LTE 3
LG-F260L LG Optimus LTE 3
LG-F260S LG Optimus LTE 3
LG-L21 LG Optimus G
LG-LG870 LG (Unknown)
LG-LS860 LG Mach
LG-LS970 LG Optimus G
LG-P760 LG Optimus L9
LG-P769 LG Optimus L9
LG-P780 LG Optimus L7
LG-P875 LG Optimus F5
LG-P875h LG Optimus F5
LG-P880 LG Optimus 4X HD
LG-P940 LG Prada
LG-SU540 LG Prada 3.0
LG-SU870 LG Optimus 3D Cube
LG-US780 LG Lollipop
Potentially other devices as well.


Product Information:

"Backup" and "spritebud" are a setting and application backup/restore system written by Sprite Software and deployed on LG Android smartphones. "Backup" is the end user front end app, and "spritebud" is the service that preforms the backup and restore functions.


Details:

The "spritebud" daemon is started by the init scripts and runs as the root user. Listening on a unix socket, the daemon accepts instructions from the "Backup" app. Using a crafted backup, we can write to, change permission and change ownership of any file, being that "spritebud" is running under the root user.


The crafted backup contains restore data for our exploiting application, "com.cunninglogic.lgpwn". The data includes a 50mb dummy file (a) used to increase our exploit window, su binary (b), a script (c) to install su, and a text file (d) containing the path to our script. All files are owned by the application, and are world write/read/execute. All files are restored in alphabetical order. The entire backup, after compress, is approximately 2mb. The structure of this backup is as follows:


drwxrwxrwx u0_a114 u0_a114 2013-05-28 20:13 files


./files:
- -rwxr-xr-x u0_a114 u0_a114 52428800 2013-05-22 20:06 a
- -rwxr-xr-x u0_a114 u0_a114 91992 2013-05-22 20:07 b
- -rwxr-xr-x u0_a114 u0_a114 251 2013-05-22 20:12 c
- -rwxr-xr-x u0_a114 u0_a114 42 2013-05-22 20:07 d


Prior to restoration, our exploit app runs, watches the process and waits. During restoration, the spritebud daemon first creates the files directory, then sets it's permission and owner. Next it decompresses and restores the "a" file, our 50mb dummy files. During the restoration of "a", our exploit application has time to symlink "d", our text file containing the full path to our script (c), to /sys/kernel/uevent_helper. Upon restoration of file "d", our path is written to uevent_helper. When a hotplug even occurs (which occur every few seconds), the path contained in uevent_helper is execute by the kernel and our script (c) is executed and installs the su binary (b).

 

[jcase]

Hasn't been posted here, but could be of some use if someone messes with it. I take no credit. All of it goes to JCase (who is an awesome dood ;]) and I'm simply posting here for people who are able to probably get us a much easier root method. Our phones are listed as compatible so I'm thinking a more knowledgeable person should try and see if it works.

Just an FYI the compiled apk attached to the original post does not install for me (even through terminal) so someone will have to do some work on that if possible.

Original post: http://forum.xda-developers.com/showthread.php?p=42938989#post42938989

Github

For the lazy:

adb shell ls -l /system/xbin/spritebud

if spritebud exists on your firmware, then it will most likely work

The apk is in my original post only works on API 16 and up, just because of how I built it. If you have the spritebud binary, I will rebuild it for you

 

[Tablechair]

Spritebud is there. I've copied it from xbin and zipped it up for you here. Thanks http://db.tt/IPbe5O8w

Sent from my LG-P769 using xda premium

 

[jcase]

Spritebud is there. I've copied it from xbin and zipped it up for you here. Thanks http://db.tt/IPbe5O8w

Sent from my LG-P769 using xda premium

*edit* let me fix some bugs

 

[jcase]

@Tablechair @captaincrook updated github and the apk, try this apk http://malware.asia/LGPwn.apk. It should support Andoid 2.3.3 and up, and check for spritebud before allowing you to continue.

If this doesnt work, dump your stock system image and I will give you a different root

 

[Tablechair]

Will unroot and give it a shot once I get home later thanks dude.

Sent from my LG-P769 using xda premium

---------- Post added at 09:15 PM ---------- Previous post was at 08:57 PM ----------

It occurred to me that I don't need my PC to try this so I did a full unroot in supersu. Installed and ran your apk then restored lgpwn backup when the menu came up. After a reboot I couldn't find the supersu or superuser app but I got superSU from the playstore and it installed and prompted me to update binary after that I'm back rooted again. Spread the good word I guess. Thanks a lot dude!

Sent from my LG-P769 using xda premium

 

[jcase]

Will unroot and give it a shot once I get home later thanks dude.

Sent from my LG-P769 using xda premium

---------- Post added at 09:15 PM ---------- Previous post was at 08:57 PM ----------

It occurred to me that I don't need my PC to try this so I did a full unroot in supersu. Installed and ran your apk then restored lgpwn backup when the menu came up. After a reboot I couldn't find the supersu or superuser app but I got superSU from the playstore and it installed and prompted me to update binary after that I'm back rooted again. Spread the good word I guess. Thanks a lot dude!

Sent from my LG-P769 using xda premium

Great, perhaps @captaincrook can change the title, and manage the thread here?

 

[Tablechair]

If he wants to I'll delete mine. Got really excited wanted to let people know.

Sent from my LG-P769 using xda premium

 

[captaincrook]

I have just tested this and I have no positive results. I'm running ICS, firmware version 10G. I don't know if the KDZ is good enough for a system dump but I'd otherwise have to setup adb to grab a full one after I factory restore. I'll link the KDZ after I find a working link (or someone can assist with that?).

Let me note that I did find it bizarre to download and install SuperSu after the phone rebooted but I do not doubt your instructions.

 

[capfl2k5]

@Tablechair @captaincrook updated github and the apk, try this apk http://malware.asia/LGPwn.apk. It should support Andoid 2.3.3 and up, and check for spritebud before allowing you to continue.

If this doesnt work, dump your stock system image and I will give you a different root

Works with the l9 with 20d

 

[Tablechair]

I have just tested this and I have no positive results. I'm running ICS, firmware version 10G. I don't know if the KDZ is good enough for a system dump but I'd otherwise have to setup adb to grab a full one after I factory restore. I'll link the KDZ after I find a working link (or someone can assist with that?).

Let me note that I did find it bizarre to download and install SuperSu after the phone rebooted but I do not doubt your instructions.

Afterwards I thought well maybe something with the lelus rooting method made it so Supersu could just simply be reinstalled.(like it was just a placebo effect.) I again unrooted fully, tried to reinstall supersu it refused, and I again rerooted with LGpwn. You can also get supersu before running lgpwn and at the end of the restore a supersu permission thing pops up before restarting.

 

[jcase]

I have just tested this and I have no positive results. I'm running ICS, firmware version 10G. I don't know if the KDZ is good enough for a system dump but I'd otherwise have to setup adb to grab a full one after I factory restore. I'll link the KDZ after I find a working link (or someone can assist with that?).

Let me note that I did find it bizarre to download and install SuperSu after the phone rebooted but I do not doubt your instructions.

Why is it strange to install supersu? Exploit jsut installs "su" from Supersu. At the rate chainfire updates, it is a waste of space to include it in the exploit. Use can install and update, much safer.

does /system/xbin/spritebud exist on your device? Has your rom been modified at all?

I only tested this on one device, the rest were based on information obtained from firmware.

 

[Moto Mouth]

Works with the l9 with 20d

P769 v20D. That's a +1 for me. Works great thanks for the heads up.

 

[Swag-Mo]

you should change the thread title to read as New Riot Method...!!!

delighted to report back that this certainly does work on P768 running v20A south Africa... this is officially the easiest method for routing our... should be stickied in the general and development forums asap...

 

[captaincrook]

Afterwards I thought well maybe something with the lelus rooting method made it so Supersu could just simply be reinstalled.(like it was just a placebo effect.) I again unrooted fully, tried to reinstall supersu it refused, and I again rerooted with LGpwn. You can also get supersu before running lgpwn and at the end of the restore a supersu permission thing pops up before restarting.

I'll run more in the morning. Are you on 20D? I have supersu installed and get no such popup.

Why is it strange to install supersu? Exploit jsut installs "su" from Supersu. At the rate chainfire updates, it is a waste of space to include it in the exploit. Use can install and update, much safer.

does /system/xbin/spritebud exist on your device? Has your rom been modified at all?

I only tested this on one device, the rest were based on information obtained from firmware.

I have purposely not modified my device in any way (waiting for an easier root method). Is there any way I can check for success? I normally check if su exists in the app drawer (hence installing after being weird for me) or in system through terminal but I don't see it.

Spritebud does exist and was the first thing I checked for. Differences seeing here are me still being on the pure stock firmware the phone came with and not the jellybean upgrade. I will upgrade if I get nowhere by afternoon tomorrow and I'll see what's up with my phone and jellybean.

By the way, thanks for assisting us users.

 

[Tablechair]

I'll run more in the morning. Are you on 20D? I have supersu installed and get no such popup.

I am on v21b windmobile canada.

 

[kuma82]

The app did not find the spiritbud on the v10B (LGMS769)

Sent from my LGMS769 using xda app-developers app

 

[Tablechair]

I am on v21b windmobile canada.

I loaded up one of my old 10g nandroid backups and fully unrooted. Kuma beat me to it ^^^^ This does not work on ICS roms for L9. It goes thru the motions but the su app is not found afterward. I have uploaded a copy of the ICS P769 spritebud. https://www.dropbox.com/s/zhnkrlpu4u6k744/spritebudICSp769.zip

Thanks

 

[jcase]

I'll run more in the morning. Are you on 20D? I have supersu installed and get no such popup.



I have purposely not modified my device in any way (waiting for an easier root method). Is there any way I can check for success? I normally check if su exists in the app drawer (hence installing after being weird for me) or in system through terminal but I don't see it.

Spritebud does exist and was the first thing I checked for. Differences seeing here are me still being on the pure stock firmware the phone came with and not the jellybean upgrade. I will upgrade if I get nowhere by afternoon tomorrow and I'll see what's up with my phone and jellybean.

By the way, thanks for assisting us users.

It does not install superuser app, just su. If the phone reboots on its own, it should be successful.
You can check for su by installing supersu from the market, and allowing it to update.

 

[jcase]

The app did not find the spiritbud on the v10B (LGMS769)

Sent from my LGMS769 using xda app-developers app

Then that firmware is not compatible, its missing the vulnerable component.