• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!
  • Fill out your device list and let everyone know which phones you have!    Edit Your Device Inventory

Use Janus vulnerability to get root access?

Search This thread

mbirth

Senior Member
Nov 22, 2006
270
112
Berlin
Hello,

let's assume I have a super-secure Android phone that's known for not being rootable. Let's also assume, I've successfully tried the Janus vulnerability and was able to replace the classes.dex of a system app with a slightly modified one.

As far as I understand it, using the Janus vulnerability, you can only replace the classes.dex but no resources. So whatever is in the classes.dex can only work with the resources already there.

Now the big question: Is there any classes.dex that doesn't depend on specific resources and that I could use to get e.g. a root shell?
 

lucahack

Senior Member
Oct 26, 2015
50
18
Use Janus vulnerability to get root access ?

No, I think you can't really. It is maybe possible to root using this exploit by editing a system app because system apps have more rights than "normal" apps which are installed in /data partition. If you really want to use janus exploit to root your phone, try to find a privilege escalation exploit and edit an app to make it execute the exploit. But I think "normal" rooting methods are more efficients. You can install any app on your phone or update any apps, so you don't need Janus. Executing privilege escalation exploit is the only way to root your phone with no (not at 100% true, you can root your phone using recovery, but it is not the subject)
I hope I have helped you,
Have a n1ce day,
Luca
PS : Don't hesitate to thanks me
 
  • Like
Reactions: Delgoth

lucahack

Senior Member
Oct 26, 2015
50
18
Yes, you can. You can edit the system upgrade app to make it install a special package (that should be signed by recovery) to root your phone I think.
 
  • Like
Reactions: Delgoth

mbirth

Senior Member
Nov 22, 2006
270
112
Berlin
Yes, you can. You can edit the system upgrade app to make it install a special package (that should be signed by recovery) to root your phone I think.

There's no easier way? Something like copying a "su" binary to somewhere and setting a few filesystem permissions?
 

Delgoth

Senior Member
Dec 1, 2010
636
183
Yes, you can. You can edit the system upgrade app to make it install a special package (that should be signed by recovery) to root your phone I think.

I've been looking into that for awhile. I thought it was possible using dirtycow also maybe.

How would a special package still be usable and signed by the recovery?

Wouldn't modification break the recovery signing?
 

jcrutchvt10

Senior Member
Jan 31, 2011
57
23
I've been looking into that for awhile. I thought it was possible using dirtycow also maybe.

How would a special package still be usable and signed by the recovery?

Wouldn't modification break the recovery signing?

If you extract your ota certs from a valid OTA and sign the injected update.zip with those valid signatures it may be possible. That's the latest I've been looking into but the updater binaries are so complicated I don't know how it will work. I think the best option is smali edit within an app like testmode.apk on the K1 that can manipulate system properties and shared preferences. Once you can allow the properties to allow insecure adb or debuggable = true or secure = false you can do the rest of the work in adb. But BB probably has protections that will nullify on reboot.
 
Last edited:

Delgoth

Senior Member
Dec 1, 2010
636
183
If you extract your ota certs from a valid OTA and sign the injected update.zip with those valid signatures it may be possible. That's the latest I've been looking into but the updater binaries are so complicated I don't know how it will work. I think the best option is smali edit within an app like testmode.apk on the K1 that can manipulate system properties and shared preferences. Once you can allow the properties to allow insecure adb or debuggable = true or secure = false you can do the rest of the work in adb. But BB probably has protections that will nullify on reboot.

I have the Verizon test keys for the G925V 4CPI2 6.0.1, but my s6 edge is currently out of commission until I can find the signed bootloader binaries to upload to the device over the serial port. SDB and SDC are completely gone. I need to inject the data, but don't know the map of the sboot.bin

I had the same idea though. I'm glad I wasn't the only one. It got lost in the cracks because of other projects going on. I saw some malware one time that would install itself by piggybacking on the ota system update process, when you scheduled the update to occur five minutes from the current time. And that process I do believe relied on using a modified CSC or Cache once the process started.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Use Janus vulnerability to get root access ?

    No, I think you can't really. It is maybe possible to root using this exploit by editing a system app because system apps have more rights than "normal" apps which are installed in /data partition. If you really want to use janus exploit to root your phone, try to find a privilege escalation exploit and edit an app to make it execute the exploit. But I think "normal" rooting methods are more efficients. You can install any app on your phone or update any apps, so you don't need Janus. Executing privilege escalation exploit is the only way to root your phone with no (not at 100% true, you can root your phone using recovery, but it is not the subject)
    I hope I have helped you,
    Have a n1ce day,
    Luca
    PS : Don't hesitate to thanks me
    1
    Yes, you can. You can edit the system upgrade app to make it install a special package (that should be signed by recovery) to root your phone I think.