[XZ2c] temp root exploit via CVE-2020-0041 including magisk setup

Search This thread

Dom195

Member
Jul 4, 2020
7
1
@j4nn, it still doesn´t work. With my little knowledge I would assume the unzipping of the magisk-v20.4.zip doesn´t work properly because command "./magisk-start.sh -2" says "magisk zip is not unpacked!". But if so I don´t know why:

Code:
D:\Downloads\XZ2 Compact Temp Root\2. Temp Root durchführen>adb devices
List of devices attached
BH900A5ZBZ      device


D:\Downloads\XZ2 Compact Temp Root\2. Temp Root durchführen>adb shell
H8324:/ $ cd /data/local/tmp
H8324:/data/local/tmp $ ./tama-mroot
[+] Detected H8324-52.1.A.0.618 target
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
[+] pipe file: 0xfffffffb2b7cd400
[+] file epitem at fffffffb1dccbc80
[+] Reallocating content of 'write8_inode' with controlled data.......[DONE]
[+] Overwriting 0xfffffffb2b7cd420 with 0xfffffffb1dccbcd0...[DONE]
[+] Write done, should have arbitrary read now.
[+] file operations: ffffff8aa081ebf8
[+] kernel base: ffffff8a9f680000
[+] Reallocating content of 'write8_selinux' with controlled data..[DONE]
[+] Overwriting 0xffffff8aa1a8f000 with 0x0...[DONE]
[+] init_cred: ffffff8aa182fcd0
[+] memstart_addr: 0xffffffc5c0000000
[+] First level entry: ce7bd003 -> next table at fffffffb0e7bd000
[+] Second level entry: e63b2003 -> next table at fffffffb263b2000
[+] sysctl_table_root = ffffff8aa185c710
[+] Reallocating content of 'write8_sysctl' with controlled data......[DONE]
[+] Overwriting 0xfffffffbb16a2a68 with 0xfffffffb3ac42000...[DONE]
[+] Injected sysctl node!
[+] Node write8_inode, pid 16300, kaddr fffffffb844b2180
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_selinux, pid 16370, kaddr fffffffb43b1b900
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_sysctl, pid 16209, kaddr fffffffb538d4900
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[+] epitem.next = fffffffb2b7cd420
[+] epitem.prev = fffffffb2b7cd4d8
[+] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp # pwd
/data/local/tmp
root_by_cve-2020-0041:/data/local/tmp # ls -lZ ./magiskpolicy
lrwxrwxrwx 1 shell shell u:object_r:shell_data_file:s0 22 2020-07-04 03:20 ./mag
iskpolicy -> magisk/magiskinit64
root_by_cve-2020-0041:/data/local/tmp # ls -lZ ./magisk/magiskinit64
ls: ./magisk/magiskinit64: No such file or directory
1|root_by_cve-2020-0041:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdca
rd_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_sta
ts),3009(readproc),3011(uhid) context=u:r:kernel:s0
root_by_cve-2020-0041:/data/local/tmp # id -Z
context=u:r:kernel:s0
root_by_cve-2020-0041:/data/local/tmp # groups
input log adb sdcard_rw sdcard_r net_bt_admin net_bt inet net_bw_stats readproc
uhid
root_by_cve-2020-0041:/data/local/tmp # cat ./magiskpolicy > /dev/null
cat: ./magiskpolicy: No such file or directory
at ./magisk/magiskinit64 > /dev/null                                          <
cat: ./magisk/magiskinit64: No such file or directory
1|root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1
+ FRESH=false
+ '[' -1 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ FRESH=true
+ ./magiskpolicy --live --magisk 'allow dumpstate * * *'
./magisk-start.sh[33]: ./magiskpolicy: inaccessible or not found
127|root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -2
+ FRESH=false
+ '[' -2 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ FRESH=true
+ STAGE=2
+ '[' 2 '=' 2 ']'
+ mount -t tmpfs -o 'mode=755' none /sbin
+ chcon u:object_r:rootfs:s0 /sbin
+ chmod 755 /sbin
+ cp -a magisk/boot_patch.sh /sbin
cp: bad 'magisk/boot_patch.sh': No such file or directory
+ echo 'magisk zip is not unpacked!'
magisk zip is not unpacked!
+ umount /sbin
+ exit 1
1|root_by_cve-2020-0041:/data/local/tmp #
 

j4nn

Senior Member
Jan 4, 2012
1,237
2,453
@Dom195, please try the commands from post#20 just before starting ./tama-mroot and right after getting temp root shell from it and post the log please.
 
  • Like
Reactions: Dom195

Dom195

Member
Jul 4, 2020
7
1
@j4nn, here you have it and thanks again for helping me:

Code:
D:\Downloads\XZ2 Compact Temp Root\2. Temp Root durchführen>adb devices
List of devices attached
BH900A5ZBZ      device


D:\Downloads\XZ2 Compact Temp Root\2. Temp Root durchführen>adb shell
H8324:/ $ cd /data/local/tmp
H8324:/data/local/tmp $ pwd
/data/local/tmp
H8324:/data/local/tmp $ ls -lZ ./magiskpolicy
lrwxrwxrwx 1 shell shell u:object_r:shell_data_file:s0 22 2020-07-04 03:20 ./mag
iskpolicy -> magisk/magiskinit64
H8324:/data/local/tmp $ ls -lZ ./magisk/magiskinit64
ls: ./magisk/magiskinit64: No such file or directory
1|H8324:/data/local/tmp $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(ad
b),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),300
6(net_bw_stats),3009(readproc),3011(uhid) context=u:r:shell:s0
H8324:/data/local/tmp $ id -Z
context=u:r:shell:s0
H8324:/data/local/tmp $ groups
input log adb sdcard_rw sdcard_r net_bt_admin net_bt inet net_bw_stats readproc
uhid
H8324:/data/local/tmp $ cat ./magiskpolicy > /dev/null
cat: ./magiskpolicy: No such file or directory
1|H8324:/data/local/tmp $ cat ./magisk/magiskinit64 > /dev/null
cat: ./magisk/magiskinit64: No such file or directory
1|H8324:/data/local/tmp $ ./tama-mroot
[+] Detected H8324-52.1.A.0.618 target
[+] Mapped 200000
[+] selinux_enforcing before exploit: 0
[+] pipe file: 0xfffffffaee642700
[+] file epitem at fffffffaf47a1300
[+] Reallocating content of 'write8_inode' with controlled data.......[DONE]
[+] Overwriting 0xfffffffaee642720 with 0xfffffffaf47a1350...[DONE]
[+] Write done, should have arbitrary read now.
[+] file operations: ffffff8aa081ebf8
[+] kernel base: ffffff8a9f680000
[+] Reallocating content of 'write8_selinux' with controlled data....[DONE]
[+] Overwriting 0xffffff8aa1a8f000 with 0x0...[DONE]
[+] init_cred: ffffff8aa182fcd0
[+] memstart_addr: 0xffffffc5c0000000
[+] First level entry: 131aa9003 -> next table at fffffffb71aa9000
[+] Second level entry: 1446c7003 -> next table at fffffffb846c7000
[+] sysctl_table_root = ffffff8aa185c710
[+] Reallocating content of 'write8_sysctl' with controlled data........[DONE]
[+] Overwriting 0xfffffffbb16a2a68 with 0xfffffffb8b04c000...[DONE]
[+] Injected sysctl node!
[+] Node write8_inode, pid 31021, kaddr fffffffbb51c4a80
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_selinux, pid 31442, kaddr fffffffaf9bf3b00
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_sysctl, pid 31236, kaddr fffffffb64dbf900
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[+] epitem.next = fffffffaee642720
[+] epitem.prev = fffffffaee6427d8
[+] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp # pwd
/data/local/tmp
root_by_cve-2020-0041:/data/local/tmp # ls -lZ ./magiskpolicy
lrwxrwxrwx 1 shell shell u:object_r:shell_data_file:s0 22 2020-07-04 03:20 ./mag
iskpolicy -> magisk/magiskinit64
root_by_cve-2020-0041:/data/local/tmp # ls -lZ ./magisk/magiskinit64
ls: ./magisk/magiskinit64: No such file or directory
1|root_by_cve-2020-0041:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdca
rd_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_sta
ts),3009(readproc),3011(uhid) context=u:r:kernel:s0
root_by_cve-2020-0041:/data/local/tmp # id -Z
context=u:r:kernel:s0
root_by_cve-2020-0041:/data/local/tmp # groups
input log adb sdcard_rw sdcard_r net_bt_admin net_bt inet net_bw_stats readproc
uhid
root_by_cve-2020-0041:/data/local/tmp # cat ./magiskpolicy > /dev/null
cat: ./magiskpolicy: No such file or directory
at ./magisk/magiskinit64 > /dev/null                                          <
cat: ./magisk/magiskinit64: No such file or directory
1|root_by_cve-2020-0041:/data/local/tmp # ls
Magisk-v20.4.zip magisk-setup.sh magisk-v20.4.zip tama-mroot
magisk           magisk-start.sh magiskpolicy     tama-mroot.zip
root_by_cve-2020-0041:/data/local/tmp #
 

j4nn

Senior Member
Jan 4, 2012
1,237
2,453
@Dom195, that shows, that the first step unpacking the stuff either did not work or has been skipped.
Please try to follow the howto closely from the beginning.
 
  • Like
Reactions: Dom195

Dom195

Member
Jul 4, 2020
7
1
@j4nn, I tried again.

XZ2C: H8324
Build-Nr.: 52.1.A.0.618
USB debugging is activated

But still the same error:

Code:
D:\Downloads\XZ2 Compact Temp Root\2. Temp Root durchführen>adb devices
List of devices attached
BH900A5ZBZ      device


D:\Downloads\XZ2 Compact Temp Root\2. Temp Root durchführen>adb push tama-mroot
zip Magisk-v20.4.zip /data/local/tmp
tama-mroot.zip: 1 file pushed, 0 skipped. 0.6 MB/s (21355 bytes in 0.032s)
Magisk-v20.4.zip: 1 file pushed, 0 ski...d. 24.8 MB/s (5942417 bytes in 0.229s)
2 files pushed, 0 skipped. 20.3 MB/s (5963772 bytes in 0.281s)

D:\Downloads\XZ2 Compact Temp Root\2. Temp Root durchführen>adb shell
H8324:/ $ cd /data/local/tmp
H8324:/data/local/tmp $ unzip tama-mroot.zip
Archive:  tama-mroot.zip
replace magisk-start.sh? [y]es, [n]o, [A]ll, [N]one: y
  inflating: magisk-start.sh
replace magisk-setup.sh? [y]es, [n]o, [A]ll, [N]one: y
  inflating: magisk-setup.sh
replace tama-mroot? [y]es, [n]o, [A]ll, [N]one: y
  inflating: tama-mroot
H8324:/data/local/tmp $ chmod 755 tama-mroot magisk-setup.sh magisk-start.sh
H8324:/data/local/tmp $ ./magisk-setup.sh
+ '[' '' '=' --cleanup ']'
+ ZIPFILE=Magisk-v20.4.zip
+ '[' ! -d magisk ']'
H8324:/data/local/tmp $ ls
Magisk-v20.4.zip magisk-setup.sh magisk-v20.4.zip tama-mroot
magisk           magisk-start.sh magiskpolicy     tama-mroot.zip
H8324:/data/local/tmp $ ./tama-mroot
[+] Detected H8324-52.1.A.0.618 target
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
[+] pipe file: 0xffffffcc92bbad00
[+] file epitem at ffffffcc26feea00
[+] Reallocating content of 'write8_inode' with controlled data..[DONE]
[+] Overwriting 0xffffffcc92bbad20 with 0xffffffcc26feea50...[DONE]
[+] Write done, should have arbitrary read now.
[+] file operations: ffffff94b8c1ebf8
[+] kernel base: ffffff94b7a80000
[+] Reallocating content of 'write8_selinux' with controlled data..[DONE]
[+] Overwriting 0xffffff94b9e8f000 with 0x0...[DONE]
[+] init_cred: ffffff94b9c2fcd0
[+] memstart_addr: 0xfffffff480000000
[+] First level entry: 121c4a003 -> next table at ffffffcca1c4a000
[+] Second level entry: 1293f1003 -> next table at ffffffcca93f1000
[+] sysctl_table_root = ffffff94b9c5c710
[+] Reallocating content of 'write8_sysctl' with controlled data..[DONE]
[+] Overwriting 0xffffffccf16e2768 with 0xffffffccd58c3000...[DONE]
[+] Injected sysctl node!
[+] Node write8_inode, pid 15819, kaddr ffffffcc82247200
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_selinux, pid 16084, kaddr ffffffcc03730600
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_sysctl, pid 16077, kaddr ffffffcc036c7380
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[+] epitem.next = ffffffcc92bbad20
[+] epitem.prev = ffffffcc92bbadd8
[+] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1
+ FRESH=false
+ '[' -1 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ FRESH=true
+ ./magiskpolicy --live --magisk 'allow dumpstate * * *'
./magisk-start.sh[33]: ./magiskpolicy: inaccessible or not found
127|root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -2
+ FRESH=false
+ '[' -2 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ FRESH=true
+ STAGE=2
+ '[' 2 '=' 2 ']'
+ mount -t tmpfs -o 'mode=755' none /sbin
+ chcon u:object_r:rootfs:s0 /sbin
+ chmod 755 /sbin
+ cp -a magisk/boot_patch.sh /sbin
cp: bad 'magisk/boot_patch.sh': No such file or directory
+ echo 'magisk zip is not unpacked!'
magisk zip is not unpacked!
+ umount /sbin
+ exit 1
1|root_by_cve-2020-0041:/data/local/tmp #

Do I have to use the command "unzip magisk-v20.4.zip" at any stage after unzipping tama-mroot.zip?
 

j4nn

Senior Member
Jan 4, 2012
1,237
2,453
@Dom195, please start with
Code:
cd /data/local/tmp
unzip tama-mroot.zip
chmod 755 tama-mroot magisk-setup.sh magisk-start.sh
./magisk-setup.sh --cleanup
./magisk-setup.sh
then do the commands recently posted, then follow the with ./tama-mroot and when you get root shell, then again run the commands recently posted. Then follow the 3 steps with ./magisk-start.sh.
 
  • Like
Reactions: Dom195

Dom195

Member
Jul 4, 2020
7
1
@j4nn, I don´t really know what the exact problem was but it did work this time!

Thanks a lot! Especially for being so patient with me :)

Do you have an explanation for me what the problem was and why now it succeeded?


Code:
D:\Downloads\XZ2 Compact Temp Root\2. Temp Root durchführen>adb devices
List of devices attached
BH900A5ZBZ      device


D:\Downloads\XZ2 Compact Temp Root\2. Temp Root durchführen>adb shell
H8324:/ $ cd /data/local/tmp
H8324:/data/local/tmp $ unzip tama-mroot.zip
Archive:  tama-mroot.zip
replace magisk-start.sh? [y]es, [n]o, [A]ll, [N]one: y
  inflating: magisk-start.sh
replace magisk-setup.sh? [y]es, [n]o, [A]ll, [N]one: y
  inflating: magisk-setup.sh
replace tama-mroot? [y]es, [n]o, [A]ll, [N]one: y
  inflating: tama-mroot
H8324:/data/local/tmp $ chmod 755 tama-mroot magisk-setup.sh magisk-start.sh
H8324:/data/local/tmp $ ./magisk-setup.sh --cleanup
+ '[' --cleanup '=' --cleanup ']'
+ rm -rf magisk magiskpolicy
+ exit 0
H8324:/data/local/tmp $ ./magisk-setup.sh
+ '[' '' '=' --cleanup ']'
+ ZIPFILE=Magisk-v20.4.zip
+ '[' ! -d magisk ']'
+ mkdir -p magisk
+ cd magisk
+ unzip ../Magisk-v20.4.zip
Archive:  ../Magisk-v20.4.zip
  inflating: META-INF/MANIFEST.MF
  inflating: META-INF/CERT.RSA
  inflating: META-INF/CERT.SF
  inflating: arm/magiskinit
  inflating: META-INF/com/google/android/updater-script
  inflating: arm/magiskinit64
  inflating: META-INF/com/google/android/update-binary
  inflating: chromeos/kernel.keyblock
  inflating: chromeos/kernel_data_key.vbprivk
  inflating: x86/magiskinit
  inflating: common/util_functions.sh
  inflating: arm/magiskboot
  inflating: x86/magiskinit64
  inflating: common/addon.d.sh
  inflating: common/magisk.apk
  inflating: chromeos/futility
  inflating: common/boot_patch.sh
  inflating: x86/magiskboot
+ mv META-INF/com/google/android/update-binary arm/magiskboot arm/magiskinit64 c
ommon/addon.d.sh common/boot_patch.sh common/util_functions.sh .
+ sh ./update-binary -x
2034+0 records in
2034+0 records out
2082816 bytes (1.9 M) copied, 0.020006 s, 99 M/s
1410+1 records in
1410+1 records out
1443916 bytes (1.3 M) copied, 0.015296 s, 90 M/s
+ pm install -r common/magisk.apk
Success
+ rm -rf update-binary META-INF arm chromeos common x86
+ cd ..
+ ln -s magisk/magiskinit64 magiskpolicy
H8324:/data/local/tmp $ pwd
/data/local/tmp
H8324:/data/local/tmp $ ls -lZ ./magiskpolicy
lrwxrwxrwx 1 shell shell u:object_r:shell_data_file:s0 22 2020-07-11 00:29 ./mag
iskpolicy -> magisk/magiskinit64
H8324:/data/local/tmp $ ls -lZ ./magisk/magiskinit64
-rwxrwxrwx 1 shell shell u:object_r:shell_data_file:s0 353736 2020-07-11 00:29 .
/magisk/magiskinit64
H8324:/data/local/tmp $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(ad
b),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),300
6(net_bw_stats),3009(readproc),3011(uhid) context=u:r:shell:s0
H8324:/data/local/tmp $ id -Z
context=u:r:shell:s0
H8324:/data/local/tmp $ groups
input log adb sdcard_rw sdcard_r net_bt_admin net_bt inet net_bw_stats readproc
uhid
H8324:/data/local/tmp $ cat ./magiskpolicy > /dev/null
H8324:/data/local/tmp $ cat ./magisk/magiskinit64 > /dev/null
H8324:/data/local/tmp $ ./tama-mroot
[+] Detected H8324-52.1.A.0.618 target
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
[+] pipe file: 0xfffffff47b218800
[+] file epitem at fffffff46afc2d00
[+] Reallocating content of 'write8_inode' with controlled data..........[DONE]
[+] Overwriting 0xfffffff47b218820 with 0xfffffff46afc2d50...[DONE]
[+] Write done, should have arbitrary read now.
[+] file operations: ffffff8ebb61ebf8
[+] kernel base: ffffff8eba480000
[+] Reallocating content of 'write8_selinux' with controlled data...[DONE]
[+] Overwriting 0xffffff8ebc88f000 with 0x0...[DONE]
[+] init_cred: ffffff8ebc62fcd0
[+] memstart_addr: 0xffffffcc40000000
[+] First level entry: 12abc0003 -> next table at fffffff4eabc0000
[+] Second level entry: 10aa05003 -> next table at fffffff4caa05000
[+] sysctl_table_root = ffffff8ebc65c710
[+] Reallocating content of 'write8_sysctl' with controlled data....[DONE]
[+] Overwriting 0xfffffff53168cf68 with 0xfffffff4d975b000...[DONE]
[+] Injected sysctl node!
[+] Node write8_inode, pid 17599, kaddr fffffff52b539f80
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_selinux, pid 17501, kaddr fffffff517188300
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_sysctl, pid 17782, kaddr fffffff4c247de80
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[+] epitem.next = fffffff47b218820
[+] epitem.prev = fffffff47b2188d8
[+] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp # pwd
/data/local/tmp
root_by_cve-2020-0041:/data/local/tmp # ls -lZ ./magiskpolicy
lrwxrwxrwx 1 shell shell u:object_r:shell_data_file:s0 22 2020-07-11 00:29 ./mag
iskpolicy -> magisk/magiskinit64
root_by_cve-2020-0041:/data/local/tmp # ls -lZ ./magisk/magiskinit64
-rwxrwxrwx 1 shell shell u:object_r:shell_data_file:s0 353736 2020-07-11 00:29 .
/magisk/magiskinit64
root_by_cve-2020-0041:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdca
rd_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_sta
ts),3009(readproc),3011(uhid) context=u:r:kernel:s0
root_by_cve-2020-0041:/data/local/tmp # id -Z
context=u:r:kernel:s0
root_by_cve-2020-0041:/data/local/tmp # groups
input log adb sdcard_rw sdcard_r net_bt_admin net_bt inet net_bw_stats readproc
uhid
root_by_cve-2020-0041:/data/local/tmp # cat ./magiskpolicy > /dev/null
root_by_cve-2020-0041:/data/local/tmp # cat ./magisk/magiskinit64 > /dev/null
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1
+ FRESH=false
+ '[' -1 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ FRESH=true
+ ./magiskpolicy --live --magisk 'allow dumpstate * * *'
Load policy from: /sys/fs/selinux/policy
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -2
+ FRESH=false
+ '[' -2 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ FRESH=true
+ STAGE=2
+ '[' 2 '=' 2 ']'
+ mount -t tmpfs -o 'mode=755' none /sbin
+ chcon u:object_r:rootfs:s0 /sbin
+ chmod 755 /sbin
+ cp -a magisk/boot_patch.sh /sbin
+ cp -a magisk/magiskboot /sbin
+ cp -a magisk/magiskinit64 /sbin
+ cp -a magisk/busybox /sbin
+ cp -a magisk/util_functions.sh /sbin
+ cd /sbin
+ chmod 755 boot_patch.sh busybox magiskboot magiskinit64 util_functions.sh
+ mkdir r
+ mount -o bind / r
+ cp -a r/sbin/. /sbin
+ umount r
+ rmdir r
+ mv magiskinit64 magiskinit
+ ./magiskinit -x magisk magisk
+ ln -s /sbin/magiskinit /sbin/magiskpolicy
+ ln -s /sbin/magiskinit /sbin/supolicy
+ true
+ rm -rf /data/adb/magisk.db /data/adb/magisk
+ mkdir -p /data/adb/magisk
+ chmod 700 /data/adb
+ cp -a busybox /data/adb/magisk
+ cp -a magisk /data/adb/magisk
+ cp -a magiskboot /data/adb/magisk
+ cp -a magiskinit /data/adb/magisk
+ cp -a util_functions.sh /data/adb/magisk
+ cp -a boot_patch.sh /data/adb/magisk
+ chmod -R 755 /data/adb/magisk
+ chown -R root:root /data/adb/magisk
+ chcon -R u:object_r:magisk_file:s0 /data/adb/magisk
+ rm -f magiskboot util_functions.sh boot_patch.sh
+ ln -s /sbin/magisk /sbin/su
+ ln -s /sbin/magisk /sbin/resetprop
+ ln -s /sbin/magisk /sbin/magiskhide
+ mkdir /sbin/.magisk
+ chmod 755 /sbin/.magisk
+ >/sbin/.magisk/config
+ echo 'KEEPVERITY=true'
+ >>/sbin/.magisk/config
+ echo 'KEEPFORCEENCRYPT=true'
+ chmod 000 /sbin/.magisk/config
+ mkdir -p /sbin/.magisk/busybox
+ chmod 755 /sbin/.magisk/busybox
+ mv busybox /sbin/.magisk/busybox
+ mkdir -p /sbin/.magisk/mirror
+ chmod 000 /sbin/.magisk/mirror
+ mkdir -p /sbin/.magisk/block
+ chmod 000 /sbin/.magisk/block
+ mkdir -p /sbin/.magisk/modules
+ chmod 755 /sbin/.magisk/modules
+ mkdir -p /data/adb/modules
+ chmod 755 /data/adb/modules
+ mkdir -p /data/adb/post-fs-data.d
+ chmod 755 /data/adb/post-fs-data.d
+ mkdir -p /data/adb/service.d
+ chmod 755 /data/adb/service.d
+ chcon -R -h u:object_r:rootfs:s0 /sbin/.magisk
+ chcon u:object_r:magisk_file:s0 /sbin/.magisk/busybox/busybox
+ /sbin/magisk --daemon
client: launching new main daemon process
+ pidof magiskd
+ MP=21535
+ '[' -z 21535 ']'
+ >/sbin/.magisk/escalate
+ echo 21535
+ '[' -e /sbin/.magisk/escalate ']'
+ sleep 1
+ '[' -e /sbin/.magisk/escalate ']'
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -3
+ FRESH=false
+ '[' -3 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ STAGE=3
+ '[' 3 '=' 2 ']'
+ >/sbin/.magisk/magiskd
+ echo -e '#!/system/bin/sh\n/sbin/magisk --daemon'
+ chmod 755 /sbin/.magisk/magiskd
+ chcon u:object_r:dumpstate_exec:s0 /sbin/.magisk/magiskd
+ getprop init.svc.dumpstate
+ SVC=''
+ timeout=10
+ '[' 10 -gt 0 ']'
+ stop dumpstate
+ killall -9 magiskd
+ stop dumpstate
+ mount -o bind /sbin/.magisk/magiskd /system/bin/dumpstate
+ start dumpstate
+ timeout=10
+ '[' 10 -le 0 ']'
+ pidof magiskd
+ MP=21552
+ '[' -n 21552 ']'
+ break
+ stop dumpstate
+ sleep 1
+ umount /system/bin/dumpstate
+ rm -f /sbin/.magisk/magiskd
+ '[' '' '=' running ']'
+ rm -f /dev/.magisk_unblock
+ /sbin/magisk --post-fs-data
+ timeout=10
+ '[' -e /dev/.magisk_unblock -o 10 -le 0 ']'
+ sleep 1
+ timeout=9
+ '[' -e /dev/.magisk_unblock -o 9 -le 0 ']'
+ /sbin/magisk --service
+ sleep 1
+ /sbin/magisk --boot-complete
+ chmod 751 /sbin
root_by_cve-2020-0041:/data/local/tmp #
 

j4nn

Senior Member
Jan 4, 2012
1,237
2,453
exploit sources released

Exploit sources for all temp root releases are available at my github here.
 
  • Love
Reactions: anthyG

Alvie009

New member
Nov 3, 2020
1
0
can you make for xperia japanese XZ2C (SO-05K) ?. because when I try, I always get the error 'devices not supported'
 

yosia_ryan

Member
Jan 7, 2019
9
3
21
Sony Xperia XZ2 Premium
exploit sources released

Exploit sources for all temp root releases are available at my github here.
Hello @j4nn , I know from someone that version 52.1.B.0.188

sony xz2compact docomo (SO-05K) can be temprooted.


I have already had

boot /kernel,abl,aop,bloototh a10 version 52.1.B.0.188 (SO-05K).
but I don't have good skills to make this exploit, it's really hard
can you make one for (SO-05K)? :(
please help me to temproot xz2c (SO-05K)
 

Attachments

  • bootxz2c.img
    64 MB · Views: 6
  • hasil extact.py a10 188.zip
    23.8 MB · Views: 7

Top Liked Posts

  • There are no posts matching your filters.
  • 6
    temp root exploit for sony xperia XZ2/XZ2c/XZ2p/XZ3 with android 10 firmware
    Get a root shell with still locked bootloader.
    The main thread is located in xz2 forum section here.
    1
    @ahzam, hey, this is a temp root, so it is obvious you lose it with reboot.
    Normally only adb shell is provided with an exploit. I have implemented a working start of magisk from the exploit including asking for su permission from apps.
    That allows great use of the temp root vs plain temp root shell.
    Not only that you may backup locked TA for eventual restore of drm keys.
    You can permanently modify oem partition for debloat or ims support.
    Or you can use backup apps that require root.
    Or iptables based firewall is great too you know.
    There may be many other working use cases, like ads removal, if implemented properly (system less-ly), not tested though.
    Do you think that's little use? If someone is not allowed to BL unlock (or does not want to) it looks like it actually is something!
    1
    @ahzam, that's right, the exploit needs to be run from adb. It would need to be extended to allow privilege escalation from an untrusted app context, i.e. to run it from a normal app / terminal emulator on the phone without use of adb. As it is temproot, you need to start it after each reboot.
    Cannot help you with hiding, did not test that.
    But I would assume magiskhide could eventually work. If it did not for some app, it may help to restart (and data erase) such app. Due to magisk started late from exploit instead of during boot, some modules may get started too late and therefore look like not working - restarting involved apps/services could help.
    When an app asks for root, there is an option if it should be allowed once or permanently. Just select what you need. If you want to change that decision later, you can do that in magisk manager.
    1
    magiskpolicy is inaccessible or not found

    Hi @j4nn! Thanks for giving me hope using my old H8324 XZ2c dual in a new way with temp root!

    I followed your instructions and all worked so far. But now I´m stuck at the point where I want wo activate temp root and start magisk.

    The command "./tama-mroot" works as expected but at the next step "./magisk-start.sh -1" I always get the error that the magiskpolicy is inaccessible or not found.


    "root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1
    + FRESH=false
    + '[' -1 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + ./magiskpolicy --live --magisk 'allow dumpstate * * *'
    ./magisk-start.sh[33]: ./magiskpolicy: inaccessible or not found"


    Maybe it´s easy to solve or I do something wrong but I´m a newbie at this and don´t find a mistake.

    Do you have an idea what´s the problem?

    Thanks in advance for your answer!


    Also thanks @ferluna18 for the perfect guide to downgrade my XZ2c with locked bootloader to a FW that works with the temp root.
    1
    @Dom195, have you run the prepare step, with the unzip and magisk-setup.sh? That should make magiskpolicy available.