The root problem is DM verity - here are links to descriptions/procedures - Galaxy S6 Active

So after messaging a handful of devs asking about rooting this device, the main problem is dm verity.
There are a few exploits that might work at gaining root privileges (CVE-2015-3636 or later for example). However, whenever you change boot or /system, dm verify will panic and fail, resulting in no startup.
Persistent root is then not feasible...yet. Finding the exploit to gain root privileges is not an issue as these exploits are already available; the problem is keeping root privileges as dm verity will panic and freeze startup when it sees changes is /system or BOOT.
Since I have gone from a rooted lg g2 4.4.2 to this 5.0.2 phone, I never had to deal with dm verity. Some very useful articles that describe how dm verity works are included here:
http://www.xda-developers.com/a-look-at-marshmallow-root-verity-complications/
and here:
http://www.xda-developers.com/google-taking-aim-at-device-modders-in-android-4-4-kitkat/
Here is a blog that goes through step by step of dm verity and what is needs to function
http://nelenkov.blogspot.co.uk/2014/05/using-kitkat-verified-boot.html
Feel free to message any devs that you think could help with dm verity

oh,it sounds like so terrible~
通过我的 Nexus 4 上的 Tapatalk发言

Is it possible to atleast gain temporary root?

No, the phone will not even boot up if any change in the system files are detected after restarting the phone.

That's why Chainfire released systemless root, so it is possible to utilize root even without touching the system partition.
Android has some critical vulnerabilities (like broadcom wifi driver from february), but there is no publicily known way how to exploit them - and that's the main issue..
And if there will be, you still may have to deal with ASLR, SELinux and Knox security just to execute code. Only then you should worry about dm-verity. It drives me crazy how secure devices are these days, but we can thank malware makers for that...

Related

Getting proper su at very early init via one of .rc files?

Hello dear Chainfire and community!
I have a rather obscure issue: I want to run a root script at very early init.
The script (predictably) runs afoul of Selinux policy (who'd have thought) and since it's a chinese phone no sources are available.
Good things:
I can unpack/repack boot.img without issue, and can add/start services from .rc
Phone is rootable and after proper boot, SuperSu works fine (and so does setenforce 0)
Bad things:
This is lolipop 5.0 so install-recovery.sh and anything else of that general kind is not available
Source (and thus opportunity to change sepolicy) not available
SuperSu daemon's normal start is waaaaay too late for what I'm trying to do.
Question:
Given that I can add my own service and run it as I please, is there a way to "kickstart" su functionality early-on (so I can set Selinux to permissive and run my stuff), without breaking functioning of supersu after boot completes?

[2016.10.10] suhide v0.55 [CLOSED]

THIS IS CURRENTLY NOT WORKING
A newer version is available here: https://forum.xda-developers.com/apps/supersu/suhide-lite-t3653855
suhide is an experimental (and officially unsupported) mod for SuperSU that can selectively hide root (the su binary and package name) from other applications.
Pros
- Hides root on a per-app base, no need to globally disable root
- Doesn't need Xposed
- Even supports SuperSU's ancient app compatibility mode (BINDSYSTEMXBIN)
- Passes SafetyNet attestation by default on stock ROMs (last officially tested on 2016.10.07)
Cons
- Ultimately a losing game (see the next few posts)
- No GUI (at the moment) - Unofficial GUI by loserskater
Requirements
- SuperSU v2.78 SR1 or newer (link)
- SuperSU installed in systemless mode
- Android 6.0 or newer
- TWRP (3.0.2 or newer, with access to /data - link!) or FlashFire (link)
Xposed
Xposed is not currently officially supported, but if you want to use it directly, you must be using @topjohnwu 's systemless xposed v86.2 exactly (attached at the bottom). It seems to mostly work during my non-extensive testing, but there are still some performance issues (both boot-time and run-time). Proceed with caution, expect bootloop.
Alternatively, there are some reports that the latest Magisk version + the latest systemless xposed (for Magisk) also works. I have not personally tested this.
CyanogenMod
I've personally tested with CM13 on i9300 without issue, however, several users are reporting it doesn't work for them. Proceed with caution, expect bootloop. Also, aside from just flashing SuperSU, you need to make sure /system/bin/su and /system/xbin/su are removed, or CM's internal root will still be used.
Usage
Install/Upgrade
- Make sure you have the latest SuperSU version flashed in systemless mode
- Make sure you are using the latest TWRP or FlashFire version
- Remove any and all Xposed versions
- If you have been having issues, flash suhide-rm-vX.YY.zip first, and note that your blacklist has been lost.
- Flash the attached suhide-vX.YY.zip
- If you are upgrading from suhide v0.16 or older, reflash SuperSU ZIP, and note that your blacklist has been lost.
- Optionally, flash the Xposed version linked above, and pray
At first install SafetyNet is automatically blacklisted.
If you have just flashed a ROM, it is advised to let it fully boot at least once before installing suhide.
Uninstall
- Flash the attached suhide-rm-vX.YY.zip. The version may appear older, the uninstall script doesn't change very often.
Blacklisting an app
You need the UID (10000 to 99999, usually 10xxx) of the app, which can be tricky to find, or the process name. There may be a GUI for this at some point.
(Note that all commands below need to be executed from a root shell)
If you know the package name, ls -nld /data/data/packagename will show the UID - usually the 3rd column.
Similarly, for running apps, ps -n | grep packagename will also show the UID - usually the 1st column.
Note that the process name is often the same as the package name, but this is not always the case. UID is more reliable for identifying a specific app, and it is also faster than blocking based on process names.
When you know the UID or process name:
Add to blacklist: /su/suhide/add UID or /su/suhide/add processname
Remove from blacklist: /su/suhide/rm UID or /su/suhide/rm processname
List blacklist: /su/suhide/list
All running processes for that UID or process name need to be killed/restarted for su binary hiding. For SuperSU GUI hiding, the device needs to be restarted. I recommend just (soft-)rebooting your device after making any changes.
Please keep in mind that many apps store their rooted state, so you may need to clear their data (and then reboot).
Integration into SuperSU
This mod isn't stable, and probably will never be (see the next few posts). As SuperSU does aim to be stable, I don't think they're a good match. But who knows, it all depends on how things progress on the detection side.
Detections
This mod hides the su binary pretty well, and does a basic job of hiding the SuperSU GUI. The hiding is never perfect, and suhide itself is not undetectable either. This will never be a perfectly working solution.
Debugging bootloops
- Get your device in a booting state
- Make sure you have TWRP or a similar recovery
- Install LiveBoot (link)
- If you are not a LiveBoot Pro user, enable the Freeload option
- Enable the Save logs option
- Recreate the bootloop
- In TWRP, get /cache/liveboot.log , and ZIP+attach it to a post here.
Download
Attached below.
Any rm version should work to uninstall any suhide version.
There may be multiple versions of suhide attached, please look carefully which one you are downloading!
YOU ARE EXPLICITLY NOT ALLOWED TO REDISTRIBUTE THESE FILES
(pre-v0.51: 17410 downloads)
Hiding root: a losing game - rant du jour
Most apps that detect root fall into the payment, banking/investing, corporate security, or (anit cheating) gaming category.
While a lot of apps have their custom root detection routines, with the introduction of SafetyNet the situation for power users has become worse, as developers of those apps can now use a single API to check if the device is not obviously compromised.
SafetyNet is of course developed by Google, which means they can do some tricks that others may not be able to easily do, as they have better platform access and control. In its current incarnation, ultimately the detection routines still run as an unprivileged user and do not yet use information from expected-to-be-secure components such as the bootloader or TPM. In other words, even though they have slightly more access than a 3rd party app, they still have less access than a root app does.
Following from this is that as long as there is someone who is willing to put in the time and effort - and this can become very complex and time consuming very quickly - and SafetyNet keeps their detection routines in the same class, there will in theory always be a way to beat these detections.
While reading that may initially make some of you rejoice, this is in truth a bad thing. As an Android security engineer in Google's employ has stated, they need to "make sure that Android Pay is running on a device that has a well documented set of API’s and a well understood security model".
The problem is that with a rooted device, it is ultimately not possible to guarantee said security model with the current class of SafetyNet tamper detection routines. The cat and mouse game currently being played out - SafetyNet detecting root, someone bypassing it, SafetyNet detecting it again, repeat - only serves to emphasize this point. The more we push this, the more obvious this becomes to all players involved, and the quicker SafetyNet (and similar solutions) will grow beyond their current limitations.
Ultimately, information will be provided and verified by bootloaders/TrustZone/SecureBoot/TIMA/TEE/TPM etc. (Samsung is already doing this with their KNOX/TIMA solutions). Parts of the device we cannot easily reach or patch, and thus there will come a time when these detection bypasses may no longer viable. This will happen regardless of our efforts, as you can be sure malware authors are working on this as well. What we power-users do may well influence the time-frame, however. If a bypass attains critical mass, it will be patched quickly.
More security requires more locking down. Ultimately these security features are about money - unbelievably large amounts of money. This while our precious unlocked bootloaders and root solutions are more of a developer and enthusiast thing. While we're all generally fond of shaking our fists at the likes of Google, Samsung, HTC, etc, it should be noted that there are people in all these companies actively lobbying to keep unlocked/unlockable devices available for us to play with, with the only limitation being that some financial/corporate stuff may not work if we play too hard.
It would be much easier (and safer from their perspective) for all these parties to simply plug that hole and fully lock down the platform (beyond 3rd party apps using only the normal APIs). Bypassing root checks en masse is nothing less than poking the bear.
Nevertheless, users want to hide their roots (so do malware authors...) and at least this implementation of suhide is a simple one. I still think it's a bad idea to do it. Then again, I think it's a bad idea to do anything financial related on Android smartphone that isn't completely clean, but that's just me.
Note that I have intentionally left out any debate on whether SafetyNet/AndroidPay/etc need to be this perfectly secure (most people do their banking on virus ridden Windows installations after all), who should get to decide which risk is worth taking, or even if Google and cohorts would be able to design the systems more robustly so the main app processor would not need to be trusted at all. (the latter could be done for Android Pay, but wouldn't necessarily solve anything for Random Banking App). While those are very interesting discussion points, ultimately it is Google who decides how they want this system to work, regardless of our opinions on the matter - and they want to secure it.
--- reserved ---
Changelogs
2016.10.10 - v0.55 - RELEASE NOTES
- Some code cleanup
- Support for blocking based on process name
- Should fix some crashes (requires uninstall/reinstall to activate)
2016.10.07 - v0.54 - RELEASE NOTES
- Fix for latest SafetyNet update
2016.09.19 - v0.53 - RELEASE NOTES
- Haploid container (monoploid)
2016.09.18 - v0.52 - see v0.51 release notes below
- Fix root loss on some firmwares
2016.09.18 - v0.51 - RELEASE NOTES
- Complete redesign
- Zygote proxying (haploid)
- Binder hijacking (diploid)
- su.d instead of ramdisk modification
- Xposed supported (-ish)
2016.09.04 - v0.16 - RELEASE NOTES
- Fix some SELinux access errors
- Should now work on devices that ask for a password/pattern/pin immediately at boot - for real this time!
- Binderjacking improvements for Nougat
2016.08.31 - v0.12 - RELEASE NOTES
- Fix some issues with suhide-add/rm scripts
- Fix not working at all on 32-bit devices
- Should now work on devices that ask for a password/pattern/pin immediately at boot
- Rudimentary GUI hiding
- No longer limited to arm/arm64 devices: support for x86/x86_64/mips/mips64 devices added
2016.08.29 - v0.01
- Initial release
As always thank you Chainfire! I will try and edit this post.
Edit @Chainfire this seems to work for enabling Android Pay! I didn't get the chance to actually pay yet. But it did let me add my card and did not display the message about a failed authorization of Android check! Before I couldn't even get past that first screen.
Edit 2: @Chainfire It seems to of had an adverse effect on Snapchat. I cleared cache on the app, uninstalled and reinstalled and restarted. It kept Force closing after a photo no matter what. I used suhide-rm and it seems to have fixed the app from any issues. Thanks again and hopefully we'll get you some more reports. Either way your solution works!
Tested on stock rooted 7.0 Nexus 6p.
@Chainfire
What was your reason for doing this project?
Sent from my Nexus 6P using XDA-Developers mobile app
Ofthecats said:
What was your reason for doing this project?
Click to expand...
Click to collapse
For building it, curious if the method I came up with would work well. For releasing, if others are doing it, join them or be left behind.
I'm assuming with custom ROM android pay still won't work right?
HamsterHam said:
I'm assuming with custom ROM android pay still won't work right?
Click to expand...
Click to collapse
I'd just give it a try. It's spoofing the specific app, not the entire ROM that matters. It's fairly simple to try.
Installed on LG G4 w/ V20g-EUR-XX update and rerooted with TWRP 3.0.2-0 and SuperSU-v2.76-2016063161323. seems to be working fine, for the moment. Thank you for the update.
So far so good, I was able to add card to android pay. I would try using it during lunch and report back. Again, thanks for the continuous hard work.
djide said:
So far so good, I was able to add card to android pay. I would try using it during lunch and report back. Again, thanks for the continuous hard work.
Click to expand...
Click to collapse
What was the UID or process you found to blacklist it with?
Sent from my ONEPLUS A3000 using Tapatalk
how to install it? which file should I flash ? Both?
I can't see to add an app using terminal.
I'm typing in
/data/adb/suhide-add 10284
Says file not found. Can someone help, cheers.
Joshmccullough said:
What was the UID or process you found to blacklist it with?
Click to expand...
Click to collapse
Android Pay comes blacklisted out-of-the-box
HamsterHam said:
I can't see to add an app using terminal.
I'm typing in
/data/adb/suhide-add 10284
Says file not found. Can someone help, cheers.
Click to expand...
Click to collapse
Are you in Android or TWRP ?
ls -l /data/adb/
Chainfire said:
Android Pay comes blacklisted out-of-the-box
Click to expand...
Click to collapse
Derp. That's what I get for not reading the entire sentence under 'Install' in the OP......thanks!
PedroM.CostaAndrade said:
how to install it? which file should I flash ? Both?
Click to expand...
Click to collapse
Please don't quote a large post like that just to ask a single question.
Please read the first post, so you know what to do.
OnePlus 2 here, stock 6.0.1, systemless rooted with SuperSU Pro v2.76, flahed using Flashfire.
Passes SafetyNet check, does not pass my bank's root check, propably for the reasons the OP states above.
thdervenis said:
OnePlus 2 here, stock 6.0.1, systemless rooted with SuperSU Pro v2.76, flahed using Flashfire.
Passes SafetyNet check, does not pass my bank's root check, propably for the reasons the OP states above.
Click to expand...
Click to collapse
You need to blacklist the UID for your bank. Directions are in the OP.

Please root n920v

Unreal.... can a group of professionals get together and spend a day cracking the bootloader and root the Verizon version note 5 not even one custom rom for this device all other models have gotten there attention we need to crack this note 5 please
so far no one can hack n920v bootloader. Me also waiting for this info. Until now my n920v still not root yet. huhuu
It does not bypass bootloader
It's funny, in the UART logs running an engineering s-boot, it will say that an invalid image was detected, and it will reboot to avoid tripping Knox. A t-mobile phone I got, I accidentally flashed a Verizon image, and there went Knox, before I had intended to. Verizon has probably drastically reduced the unexplained returns, with the lies suggested on here to use by doing that. That might be a main motivation to consider.
But back to the subject, before I ever tried attempted to understand Magisk (which I used on my XT1575), which sort of does the same thing I did, but still allows selinux, was to use the engineering kernel, and did the following:
& Mount /system as loopback in /data/systemmirror
& Mount a loop back image over /system, which effectively hides it
& Link to each file in the loopback to the mirror, except for what I didn't want, and add what I did want. I even got xposed, microg/unifiednlp working like that. I didn't want to use supersu, but I imagine it can be done too. Some files had to be on the loopback system because uh I think it didn't like dynamic linking some library files that were links, that was fun to debug again and again and again until it worked.
& Set selinux permissive, because links aren't normally allowed, and I couldn't figure out how to make that work in the policy, and I could have reloaded it with the tools in the supersu apk if I knew what I was doing.
Thus, a tethered root is made. Tethered. Every boot up, you have to log in with adb to run the shell script that mounts everything, changes selinux, and kills system_server, effectively rebooting it. I could not figure out another way. It worked, minus samsung pay.
While that doesn't sound so bad, I went into the subway, was playing my hacked up version of shattered pixel dungeon, and the kernel crashed. Man, I that was a bummer. Still haven't rooted it properly.
If there's a fwbl1 or something that breaks the chain of trust from a developers SDK, sboot could be modified to load any binary without tripping Knox into an existing sboot probably.
I've removed so much stuff from this post so many times while preparing the draft to submit to my comment editor, I wonder how many times before I'm forced to decide whether a sign post visible in 1/9th of a picture is part of a street sign or not.

Multiple users workaround?

Hi, all. I am trying to enable multiple users on my S6 Active. I'm aware there's no root exploit for this device, but enabling multiple users normally doesn't require rooting a Samsung device, just installing a custom recovery so that I can boot without read-only applied to the system partition.
Can TWRP (or any recovery that allows adb write access to the system partition) be installed onto an S6 Active, running Android 7.0.1? I read something about how it could trip Knox, but I'm a bit unclear on how bad that is -- I don't understand if tripping Knox totally disables the device or just deactivates Samsung-specific features like Samsung Pay. Personally, so long as Google Play and calling/texting work normally, I couldn't care less about Samsung-specific apps being disabled, and I don't care about the warranty.
Alternatively, any other method to enable multiple users would be warmly welcomed. (If I need to install an app or something to simulate multiple users, that's probably fine, if it works.)
Thanks in advance for any help. I know this is an older device and people have probably moved on from it.

DirtyPipe escalated privilege exploit, will it allow root on android?

Was just reading up on the new disclosure of DirtyPipe a linux kernel 5.8-5.10.10 exploit. Looks like it allows you to write to read only files and even read-only mounts.
The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation
I know the exploit is only on versions of the android 12 and kernel version 5.8 - 5.10.10 so this would basically effect the Pixels and Galaxy s22. Would this allow root privilege escalation on android? The closest exploit I could find was DirtyCow which was 4 years ago and from what I can tell, DirtyPipe is easier to exploit. DirtyCow root was lost on reboot however and android has come a long way in terms of security like selinux since.
GitHub - j0nk0/GetRoot-Android-DirtyCow: Get temporary root by exploiting the dirtycow vulnerability.
Get temporary root by exploiting the dirtycow vulnerability. - GitHub - j0nk0/GetRoot-Android-DirtyCow: Get temporary root by exploiting the dirtycow vulnerability.
github.com
Could this exploit be used to develop root on devices like locked Verizon Pixel 6's?
Happy to help in anyway I can, I am looking into this stuff but this is pretty nuanced and complex security policy linux kernel topic stuff, so a lot of it is out of my usual wheel house, not sure if there is anyone who could point me in the right direction.
From what I just read about it, yes, Android is affected as well.
alucardetat said:
From what I just read about it, yes, Android is affected as well.
Click to expand...
Click to collapse
Yes, its affected, my question was more around the scope of the problem. Android has a number of additional security policies and things like scoped storage as they look to create sandboxes for certain processes, so I was wondering to what extent can this be hijacked. Can I unlock a bootloader, or simply edit a file in /data that I don't have access to.
The post mentions limitations in crossing page thresholds so I was wondering if the modifications needed to root would even be small enough as well as limitations to file size changes
I don't believe unlocking a bootloader would be possible. As far as I'm aware of, the bootloader can't be modified externally without something like EDL mode. Just my understanding, I could be wrong about that. Sorry, but I'm no expert and I understood your question out of context.
alucardetat said:
I don't believe unlocking a bootloader would be possible. As far as I'm aware of, the bootloader can't be modified externally without something like EDL mode. Just my understanding, I could be wrong about that. Sorry, but I'm no expert and I understood your question out of context.
Click to expand...
Click to collapse
I had wondering if this is different since it can write to read only mounted partitions like recovery, circumventing the need for unlocking the bootloader IMO. You just need the bootloader to be able to write to partitions that are usually read only, but if you can write a custom recovery that does it itself this might be a work around. I am not really sure though

Categories

Resources