Use Janus vulnerability to get root access?

[mbirth]

Hello,

let's assume I have a super-secure Android phone that's known for not being rootable. Let's also assume, I've successfully tried the Janus vulnerability and was able to replace the classes.dex of a system app with a slightly modified one.

As far as I understand it, using the Janus vulnerability, you can only replace the classes.dex but no resources. So whatever is in the classes.dex can only work with the resources already there.

Now the big question: Is there any classes.dex that doesn't depend on specific resources and that I could use to get e.g. a root shell?

 

[BenjaminWegener]

I'll try to change a System app to gain higher rights, but i doubt this will be enough to write to system.

github.com/wegeneredv-de/CVE-2017-13156

 

[lucahack]

Use Janus vulnerability to get root access ?

No, I think you can't really. It is maybe possible to root using this exploit by editing a system app because system apps have more rights than "normal" apps which are installed in /data partition. If you really want to use janus exploit to root your phone, try to find a privilege escalation exploit and edit an app to make it execute the exploit. But I think "normal" rooting methods are more efficients. You can install any app on your phone or update any apps, so you don't need Janus. Executing privilege escalation exploit is the only way to root your phone with no (not at 100% true, you can root your phone using recovery, but it is not the subject)
I hope I have helped you,
Have a n1ce day,
Luca
PS : Don't hesitate to thanks me

 

[lucahack]

Yes, you can. You can edit the system upgrade app to make it install a special package (that should be signed by recovery) to root your phone I think.

 

[mbirth]

Yes, you can. You can edit the system upgrade app to make it install a special package (that should be signed by recovery) to root your phone I think.

There's no easier way? Something like copying a "su" binary to somewhere and setting a few filesystem permissions?

 

[lucahack]

There's no easier way? Something like copying a "su" binary to somewhere and setting a few filesystem permissions?

The easiest way is to flash supersu in a custom recovery to root. (link to supersu flashable : https://s3-us-west-2.amazonaws.com/supersu/download/zip/SuperSU-v2.82-201705271822.zip )

 

[Delgoth]

Yes, you can. You can edit the system upgrade app to make it install a special package (that should be signed by recovery) to root your phone I think.

I've been looking into that for awhile. I thought it was possible using dirtycow also maybe.

How would a special package still be usable and signed by the recovery?

Wouldn't modification break the recovery signing?

 

[jcrutchvt10]

I've been looking into that for awhile. I thought it was possible using dirtycow also maybe.

How would a special package still be usable and signed by the recovery?

Wouldn't modification break the recovery signing?

If you extract your ota certs from a valid OTA and sign the injected update.zip with those valid signatures it may be possible. That's the latest I've been looking into but the updater binaries are so complicated I don't know how it will work. I think the best option is smali edit within an app like testmode.apk on the K1 that can manipulate system properties and shared preferences. Once you can allow the properties to allow insecure adb or debuggable = true or secure = false you can do the rest of the work in adb. But BB probably has protections that will nullify on reboot.

 

[Delgoth]

If you extract your ota certs from a valid OTA and sign the injected update.zip with those valid signatures it may be possible. That's the latest I've been looking into but the updater binaries are so complicated I don't know how it will work. I think the best option is smali edit within an app like testmode.apk on the K1 that can manipulate system properties and shared preferences. Once you can allow the properties to allow insecure adb or debuggable = true or secure = false you can do the rest of the work in adb. But BB probably has protections that will nullify on reboot.

I have the Verizon test keys for the G925V 4CPI2 6.0.1, but my s6 edge is currently out of commission until I can find the signed bootloader binaries to upload to the device over the serial port. SDB and SDC are completely gone. I need to inject the data, but don't know the map of the sboot.bin

I had the same idea though. I'm glad I wasn't the only one. It got lost in the cracks because of other projects going on. I saw some malware one time that would install itself by piggybacking on the ota system update process, when you scheduled the update to occur five minutes from the current time. And that process I do believe relied on using a modified CSC or Cache once the process started.