[Temp ROOT] - [BOOTLESS MAGISK] FireTV 3rd gen Cube (gazelle) > PS7613 - Fire TV Original Android Development

Overview
This rooting method is based on a vulnerability in the ARM Mali GPU driver (CVE-2022-38181) discovered by security researcher Man Yue Mo at GitHub Security Lab, to gain root access to the 3rd gen Cube that is on firmware PS7613/3701 or older. Newer method for PS7646 here.
The exploit program (gazelle_shrinker) is run directly on the Cube to spawn a temporary root shell for quick access. It can also be run automatically on every boot in combination with @diplomatic's bootless Magisk script to grant apps root access.
For best results, run gazelle_shrinker 30-90sec after boot up, when loading is complete and the device is idle.
Two options for root depending on your needs & comfort level
1) Temporary ADB root - Open an ADB root shell for quick access (PS7613/3701 or older)
Pros:
Access all files and folders from ADB
Simple to use, runs in RAM and doesn't make any changes to the Cube, no chance of bricking.
Remove app package protection so that you can enable/disable any app even without root (eg custom launchers, disabling updates, debloat, etc).
Cons:
Only enables ADB root
gazelle_shrinker occasionally crashes/reboots the Cube when being run. Run it 30-90sec after bootup for greater reliability.
NOTE: gazelle_shrinker won't brick your device, but what you do with that root access can. DM-verity is still in place checking the integrity of the system/vendor partitions, do NOT modify anything in those directories, or the boot partition!!
2) Bootless Magisk - Automatically start a lite version of Magisk that runs entirely from the data partition, (PS7613/3701 or older).
Pros:
Both ADB root and ability to grant root to apps through Magisk Manager
Once the Magisk dameon has started, root can be granted stably whenever needed
Doesn't modify boot or system/vendor partitions, DM-verity is preserved
Cons:
This is experimental, use at your own risk! It's been working stabably during my testing but it's impossible to foresee every issue.
Still relies on gazelle_shrinker to start, and may occasionally crash when gazelle_shrinker runs at boot
Most Magisk modules don't work.
NOTE: Be careful of what apps you give root access to. Giving root access to an app that modifies the boot, system or vendor partitions will brick your device. Again, DM-verity is still actively checking that no changes have been made to system/vendor directories.
Contributors:
Man Yue Mo, @Functioner, @Pro-me3us
@ Thanks to @diplomatic for bootless Magisk script, and @SweenWolf for Launcher Manager
@ Thanks to @Renate for many great tools
@ Thanks to all the folks who have worked on TWRP & Magisk

Temporary ADB root (PS7613/3701 or older)
Disclaimer: Use this at your own risk, I'm not responsible for any data loss or corruption to your device. There is a nonzero chance of bricking the Cube, and little to no recovery options.
Instructions
Enable ADB debugging in FireOS settings
Download, unzip and copy gazelle_shrinker to your Cube
Code:
adb push gazelle_shrinker /data/local/tmp/
Give gazelle_shrinker executable permissions
Code:
adb shell
chmod +x /data/local/tmp/gazelle_shrinker
Open an adb shell and run the program
For best results, run gazelle_shrinker 30-90sec after boot up, when loading is complete and the device is idle.
Code:
adb shell
/data/local/tmp/gazelle_shrinker
setenforce 0
How to disable package protection
Use gazelle_shrinker to open a root shell, setenforce 0 and delete all the apps listed in the file /data/system/PackageManagerDenyList
Code:
/data/local/tmp/gazelle
setenforce 0
Code:
echo '<?xml version="1.0" encoding="utf-8" standalone="yes" ?><map><set name="DenyListKeyPackages"></set></map>' > /data/system/PackageManagerDenyList
Clear Arcus Proxy, disable Arcus Proxy
Code:
pm clear com.fireos.arcus.proxy
pm disable-user com.fireos.arcus.proxy
Optional but strongly recommended, disable updates
Code:
pm disable-user com.amazon.device.software.ota
pm clear com.amazon.device.software.ota
pm disable-user com.amazon.device.software.ota.override
pm disable-user com.amazon.tv.forcedotaupdater.v2
A reboot is required before the protection removal changes take effect.
Verify that any apps you disable actually are disabled. Then reboot, and verify again!
Code:
pm list packages -d

Bootless Magisk (PS7613/3701 or older)
These instructions use an adapted version of @diplomatic's bootless Magisk script & @SweenWolf's Launcher Manager to autoboot, it's recommended you read the original Bootless Magisk post to better understand how it works, and it's limitations.
Disclaimer: Use this at your own risk, I'm not responsible for any data loss or corruption to your device. There is a nonzero chance of bricking the Cube, and little to no recovery options.
Instructions
Enable ADB debugging in FireOS settings
Download gazelle_bootless_magisk, unzip it, and copy it to your Cube keeping the same directory structure
Code:
adb shell mkdir /data/local/tmp/bin
adb push gazelle_bootless_magisk/* /data/local/tmp/
adb shell pm install -r /data/local/tmp/magisk_manager.apk
Give scripts & binaries executable permissions
Code:
adb shell
chmod +x /data/local/tmp/magisk-boot.sh
chmod +x /data/local/tmp/start.sh
chmod +x /data/local/tmp/bin/magiskinit
chmod +x /data/local/tmp/bin/gazelle_shrinker
Install Launcher Manager on your Cube, open, navigate to 'other settings', 'ADB Commands'
Tap on the + icon in the top right corner to create a new command
Enter Name: Start Magisk
Enter Command: sleep 30 && /data/local/tmp/start.sh
Check 'Execute on Boot'
Save
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
When you reboot your Cube, bootless Magisk will automatically start ~30sec after your homescreen loads. It's important that FireOS has loaded and that the device isn't busy, so don't open any apps until after Magisk has loaded. There's a greater chance that gazelle_shrinker will fail or reboot the Cube while launching Magisk if the device is busy.
TO AVOID BRICKING YOUR DEVICE:
Be careful of what apps you give root access to. Giving root access to an app that modifies the boot, system or vendor partitions will brick your device. DM-verity is still actively checking that system/vendor directories haven't been tampered with.
Don't run the boot-magisk.sh script (from either ADB or Launcher Manager) more than once per boot. Doing so will mess up the mounting and module initiation.
Never toggle ADB debugging off/on in the Developer's menu while Magisk is running. This will kill the Magisk daemon running in the background, and could corrupt your device if it's in the middle of an important process.
Only use WiFi ADB, not USB ADB. Booting the Cube with an USB attached computer puts USB in device mode, and ADB will close and kill Magisk when the Cube sleeps in device mode.
This release includes Magisk v21.4 (magiskinit) and Magisk Manager v8.0.7. Don't update Magisk! Patching your boot image will brick your device!

Manually update new 3rd gen Cube firmware PS7299/3052 --> PS7613/3701
New 3rd gen Cubes are (as of June 7th, 2023) shipped with firmware PS7299/3052. To update the device firmware to the latest version (PS7613/3701) that gazelle_shrinker still works on, follow these steps:
Download PS7613/3701 firmware to your Cube's 'Download' folder (Downloader code: 271370)
Run the following commands:
gazelle:/ $ /data/local/tmp/gazelle_shrinker
gazelle:/ # setenforce 0
gazelle:/ # mv /sdcard/Download/update-kindle-gazelle-PS7613_user_3701_0025401652612.bin /data/ota_package/update-kindle-gazelle-PS7613_user_3701_0025401652612.bin
gazelle:/ # echo 'recovery\n--update_package=/data/ota_package/update-kindle-gazelle-PS7613_user_3701_0025401652612.bin' > /cache/recovery/command
gazelle:/ # reboot recovery
Done. The Cube will reboot to recovery and update. This method requires root access, and can only be used to upgrade firmware, NOT downgrade firmware.

reserved

This is really interesting and exciting. I wonder if this vulnerability affects any other Fire HD devices as well (obviously those using Mali GPUs). If you don't mind me asking, what are your plans regarding the PoC's source code? (nevermind, I think I found the original POC here). Could you give some hints regarding to what needs to be changed in order to port the exploit to other devices? I'd love to test it and learn more about this CVE.​

Rortiz2 said:
I wonder if this vulnerability affects any other Fire HD devices
Click to expand...
Click to collapse
I made a post on the FireHD section about this yesterday, I can add details there. I want to keep this thread focused on the 3rd gen Cube and issues with the rooting binary

Amazing work @Pro-me3us! I'm soon going to buy one if I have the time and try it out before it's patched. I wonder how @k4y0z unlocked the sheldon/p devices with the decryption to see what we can do to decrypt the 3rd gen Cube as well since it sounds so similar to this thread with the firmware version to unlock the sheldon/p and root the device. And for what it's worth it's better to stay locked on 7.6.1.3 and below like you said.

Skel40 said:
since it sounds so similar to this thread with the firmware version to unlock the sheldon/p and root the device. And for what it's worth it's better to stay locked on 7.6.1.3 and below like you said.
Click to expand...
Click to collapse
I admit I haven't followed the MTK exploits closely. Any bootloader unlocking these days is going to require 2 (or more) exploits. One exploit for the bootloader itself, and a second exploit to put that first exploit in place. Gazelle is missing a bootloader exploit. Amlogic and MTK devices use very different bootloaders, and aren't likely to have any overlapping vulnerabilities. I hope that gazelle_shrinker can give someone else a foot in the door to find something, but bootloader vulnerabilities are rare.

Sorry, I know this is an absolutely idiotic question but how to I do this
Use gazelle_shrinker to open a root shell, setenforce 0 and delete all the apps listed in the file /data/system/PackageManagerDenyList
I'm using the concole in adblink2. I know nothing about this stuff so was basically just following the guide, but no idea what that means. Again, I realise it’s probably stupid, but if I don't ask I don't learn.

Jerri1240 said:
Use gazelle_shrinker to open a root shell, setenforce 0 and delete all the apps listed in the file /data/system/PackageManagerDenyList
Click to expand...
Click to collapse
No problem, in the guide above I'm summarizing the instructions, an then providing the commands to copy and paste below each summary.
I'm assuming that you have already copied gazelle_shrinker to /data/local/tmp/ on your Cube
Instead of using ADBLink's console button, use the ADB shell button, to open a terminal window on your Cube where you can enter the commands in the instructions (you will see this gazelle:/ $ prompt). Hopefully this gives you an idea of the flow of the instructions:
You want to paste in each of these commands one by one
gazelle:/ $ chmod +x /data/local/tmp/gazelle_shrinker
gazelle:/ $ /data/local/tmp/gazelle_shrinker
gazelle:/ # setenforce 0
gazelle:/ # echo '<?xml version="1.0" encoding="utf-8" standalone="yes" ?><map><set name="DenyListKeyPackages"></set></map>' > /data/system/PackageManagerDenyList
gazelle:/ # pm clear com.fireos.arcus.proxy
gazelle:/ # pm disable-user com.fireos.arcus.proxy
You are going to want to disable updates, since Amazon is definitely going to patch this type of access to the Cube

Got one yesterday and tried the temp shrinker root and all works good for now. I just want to give a heads up to anybody trying this guide to go ahead and update to 7.6.1.3. Disable HDR is available instead of Adaptive and the Always HDR mode. I'm now stuck on the Magisk temp root guide above.

Pro-me3us said:
No problem, in the guide above I'm summarizing the instructions, an then providing the commands to copy and paste below each summary.
I'm assuming that you have already copied gazelle_shrinker to /data/local/tmp/ on your Cube
Instead of using ADBLink's console button, use the ADB shell button, to open a terminal window on your Cube where you can enter the commands in the instructions (you will see this gazelle:/ $ prompt). Hopefully this gives you an idea of the flow of the instructions:
You want to paste in each of these commands one by one
gazelle:/ $ chmod +x /data/local/tmp/gazelle_shrinker
gazelle:/ $ /data/local/tmp/gazelle_shrinker
gazelle:/ # setenforce 0
gazelle:/ # echo '<?xml version="1.0" encoding="utf-8" standalone="yes" ?><map><set name="DenyListKeyPackages"></set></map>' > /data/system/PackageManagerDenyList
gazelle:/ # pm clear com.fireos.arcus.proxy
gazelle:/ # pm disable-user com.fireos.arcus.proxy
You are going to want to disable updates, since Amazon is definitely going to patch this type of access to the Cube
Click to expand...
Click to collapse
Thank you, really do appreciate it.
I basically don't want to look at Amazon's launcher so had been using sweenwolfs manager, but if I can disable updates that's even better. I've been using wolf launcher on my gen2 cube and just got the gen3 this week so really happy to have been able to do this. Thanks again for the idiots guide.
Second idiot question, is there a lost of things I should install, and if updates are stuck on 'checking now...' I assume turning off updates has worked? And lastly, do I want to install bootless magisk too?

Jerri1240 said:
Second idiot question, is there a lost of things I should install, and lastly, if updates are stuck on 'checking now...' I assume turning off updates has worked?
Click to expand...
Click to collapse
Other than the temp gazelle exploit shell you inputted the only thing left is Magisk temp root which you'd have to be careful in case you want to have root apps. Since the updates are stuck on 'Checking now' yes it means it has worked and typing in adb shell pm list packages -d should show com.amazon.device.software.ota and other packages disabled meaning it has worked. To be safe to verify reboot and run the command again to quickly check that the system didn't encrypt the package manager.

Skel40 said:
Other than the temp gazelle exploit shell you inputted the only thing left is Magisk temp root which you'd have to be careful in case you want to have root apps. Since the updates are stuck on 'Checking now' yes it means it has worked and typing in adb shell pm list packages -d should show com.amazon.device.software.ota and other packages disabled meaning it has worked
Click to expand...
Click to collapse
Thank you. No, I just want to be able to use a launcher I like and not have an Amazon update disable it. So I can just leave as is.

Jerri1240 said:
Thank you. No, I just want to be able to use a launcher I like and not have an Amazon update disable it. So I can just leave as is.
Click to expand...
Click to collapse
No problem and yeah honestly due to its limitations I'd rather not take any risks given the price of the device but we're definitely getting somewhere for sure with having control at least.

Jerri1240 said:
is there a lost of things I should install, and if updates are stuck on 'checking now...' I assume turning off updates has worked? And lastly, do I want to install bootless magisk too?
Click to expand...
Click to collapse
When you disable the OTA apps, you should get a near instant 'Update Error' when checking updates
gazelle:/ $ pm disable-user com.amazon.device.software.ota
gazelle:/ $ pm disable-user com.amazon.device.software.ota.override
gazelle:/ $ pm disable-user com.amazon.tv.forcedotaupdater.v2
Now that you have removed the package protections, you can use Launcher Manager to disable the OTA packages above
Launcher Manager / Other settings / Amazon OS Updates / Block updates
This will have Launcher Manager run the pm disable-user commands for you.
Do as @Skel40 recommended, verify that all the apps you disabled, are actually disabled from the command line, especially Arcus Proxy.
gazelle:/ $ pm list packages -d
I also agree with Skel40 about Magisk, if you don't need it for any apps you are using, it's an extra complication that you are better off without.
@Skel40 thanks for confirming everything is working! If you have any issues getting bootless Magisk working let me know. You can enable/disable it by just checking/unchecking 'execute on boot' in Launcher Manager and rebooting the Cube.

Pro-me3us said:
pm disable-user com.amazon.device.software.ota
Click to expand...
Click to collapse
No update error. just 'checking now', launcher manager lists update status as blocked, though.
pm list packages -d gets me the following
package:com.android.nfc
package:com.fireos.arcus.proxy
package:com.amazon.tv.forcedotaupdater.v2
package:com.amazon.device.software.ota
package:com.amazon.device.software.ota.override

Jerri1240 said:
No update error. just 'checking now', launcher manager lists update status as blocked, though.
pm list packages -d gets me the following
package:com.android.nfc
package:com.fireos.arcus.proxy
package:com.amazon.tv.forcedotaupdater.v2
package:com.amazon.device.software.ota
package:com.amazon.device.software.ota.override
Click to expand...
Click to collapse
Since pm list packages -d has it listed as disabled, that's all that really matters.

Pro-me3us said:
Since pm list packages -d has it listed as disabled, that's all that really matters.
Click to expand...
Click to collapse
Thanks again for the help. Really appreciate it.

Related

[ROOT][HOW-TO]Working Root Method for ICS 4.0.4

** Update ****************
************************
Posted a .zip with scripts for both Windows and *nix users to automate the process.
Linux:
-----
Unzip the contents of the attached ICS404root.zip anywhere on your computer and run the script aptly named "runme_root_script.sh". It should take care of the rest. Make sure you have USB Debugging enabled and you put the phone in Camera mode, not mass storage device.
Windows:
---------
Unzip ICS404root.zip wherever you want and then run "rootscript.bat". Make sure you have USB Debugging enabled and you put the phone in Camera mode, not mass storage device.
*************************
*************************
Credit to miloj for finding this technique on the Transformer. (See the thread noted below and be sure to thank him!) I modified it to work on our devices.
http://forum.xda-developers.com/showthread.php?t=1704209
I'll put together a script to automate this process shortly, but if you're antsy like me, here's the lowdown:
1. Download the following files:
su: http://db.tt/ShPzea6I
debugfs: http://db.tt/bGFh43LZ
2. Save the two files downloaded above on /sdcard. (ie: mount your sdcard in windows and copy them over, or "adb push" them to /sdcard).
**Make sure you have your phone on Mount Camera mode, not as a mass storage device; otherwise, you won't be able to access your /sdcard directory via adb. **
3. In a linux terminal/Windows command prompt:
Code:
adb shell
[email protected]_maserati:/ $ cd /sdcard
[email protected]_maserati:/ $ cp su /data/local/12m/
[email protected]_maserati:/ $ cp debugfs /data/local/12m/
[email protected]_maserati:/ $ cd /data/local/12m
[email protected]_maserati:/ $ chmod 755 debugfs
[email protected]_maserati:/ $ chmod 755 su
[email protected]_maserati:/ $ mv batch batch.bak
[email protected]_maserati:/ $ ln -s /dev/block/mmcblk1p20 batch
[email protected]_maserati:/ $ exit
adb reboot
4. While you are waiting for the phone to reboot, type the following into your terminal/command window:
Code:
adb wait-for-device shell
5. Once you're back into the android shell:
Code:
[email protected]_maserati:/ $ cd /data/local/12m
[email protected]_maserati:/ $ rm batch
[email protected]_maserati:/ $ mv batch.bak batch
[email protected]_maserati:/ $ /data/local/12m/debugfs -w /dev/block/mmcblk1p20
(The following is entered at the "debugfs:" prompt)
debugfs: # cd xbin
debugfs: # write /data/local/12m/su su
debugfs: # set_inode_field su mode 0104755
debugfs: # set_inode_field su uid 0
debugfs: # set_inode_field su gid 0
debugfs: # quit
[email protected]_maserati:/ $ cd /data/local/12m
[email protected]_maserati:/ $ rm su
[email protected]_maserati:/ $ rm debugfs
[email protected]_maserati:/ $ exit
adb reboot
Done deal. Now you've got the "su" binary pushed to your /system partition and set with the proper permissions for execution. Download the Superuser app from the market and you're good to go. Make sure you update the su binary within the Superuser app as well to make sure you're up to date.
Awesome! Were you able to upgrade to the latest leak and not lose root? Btw, what carrier are you on? I figured out how to get tethering fully functional on rogers but the process requires root...
Sent from my XT894 running ICS
You bet. I had to fastboot the leaked .208 update over top of the .206 update yesterday because I messed up my /system partition; I had used the OTA Rootkeeper to keep root permissions when upgrading from .219 but had foolishly disabled it right before I bungled everything up.
So to sum it up, this method didn't require anything to be done before updating to the .208 leak; since it has nothing to do with the technical details of the kernel itself, I'm fairly certain it should work for the .200 or .206 leaks as well. Root permissions were obtained from a completely stock system.
I'm in Canada with Bell but it doesn't matter because I imported the phone from the US; Verizon is the only carrier that has this phone. At any rate, this method is pretty universal, it is preying on a vulnerability present in the stock init.rc file and I bet it would work on other phones such as the RAZR as well.
So we can confirm this is 100% working with Fastbooting back and moving to 208? If so I will probably jump on this immediately.
I am trying to do this method but I cant adb to detect my phone. Im on the .208 leak. Can anybody help?
Have you enabled USB Debugging in the Settings->Developer Options menu?
Rick#2 said:
Have you enabled USB Debugging in the Settings->Developer Options menu?
Click to expand...
Click to collapse
Yep.
Not able to reboot, trying manually...
Code:
debugfs: /data/local/12m/su: Permission denied
debugfs: su: File not found by ext2_lookup
debugfs: su: File not found by ext2_lookup
debugfs: su: File not found by ext2_lookup
Had to reboot manually twice. This is the only error message I received. Tried Superuser, but it stops.
I'm on .200 btw.
droidian1441 said:
Yep.
Click to expand...
Click to collapse
I'm having the same issue. I'm on the 208 leak. I start command prompt in windows then type "adb shell" and I get the "device not found" message. I enabled usb debugging and my phone is connected as mass storage.
Likewise, Reboot requires su access, manual only. When I go and run the write command in debugfs permission denied. Any ideas what would cause this? Based on the code shown in the first post, SU had been already acquired(# vs $), which makes me wonder here.
Die Bruine said:
Not able to reboot, trying manually...
Code:
debugfs: /data/local/12m/su: Permission denied
debugfs: su: File not found by ext2_lookup
debugfs: su: File not found by ext2_lookup
debugfs: su: File not found by ext2_lookup
Had to reboot manually twice. This is the only error message I received. Tried Superuser, but it stops.
I'm on .200 btw.
Click to expand...
Click to collapse
Looks like you're doing something wrong with the debugfs command; you don't want to enter /data/local/12m/su at that prompt.
Running su from any partition other than /system will lead to a permissions error, so you don't want to bother trying to execute it from the /data/local/12m location.
(The following is entered at the "debugfs:" prompt, ie: after executing /data/local/12m/debugfs -w /dev/block/mmcblk1p20; see step 5.)
Code:
debugfs: # cd xbin
debugfs: # write /data/local/12m/su su
debugfs: # set_inode_field su mode 0104755
debugfs: # set_inode_field su uid 0
debugfs: # set_inode_field su gid 0
debugfs: # quit
Grizzy3 said:
I'm having the same issue. I'm on the 208 leak. I start command prompt in windows then type "adb shell" and I get the "device not found" message. I enabled usb debugging and my phone is connected as mass storage.
Click to expand...
Click to collapse
Ive got the same situation over here. I can stick without root, just the fact that I would have it again would be just the single reason to do it. Lol.
Sent from my DROID4 using Tapatalk 2
Code:
debugfs 1.42 (29-Nov-2011)
debugfs: cd xbin
cd xbin
debugfs: write /data/local/12m/su su
write /data/local/12m/su su
/data/local/12m/su: Permission denied
Rick, that's what we're putting in. From the code you posted it shows that you had root access already. Do you have any other suggestions on this? Because that's the in and out I get.
---------- Post added at 04:57 AM ---------- Previous post was at 04:53 AM ----------
Problem resolved. Need to run the following code:
Code:
chmod 755 debugfs
chmod 755 su
Then continue with rooting.
gdeeble said:
From the code you posted it shows that you had root access already.
Click to expand...
Click to collapse
Not sure where you're making this assumption from. I just wrote the "#" symbol in there to signal where to start entering commands... though I suppose you're correct in pointing out that the "#" shows up on a root prompt. A smarter choice probably would have been "$".
Trust me, I'm not an idiot. I wouldn't have gone through the hassle of writing up the guide in the first post if it didn't work.
Didn't mean it that way, just looked like it already had root, which was what confused me. But thanks again for this. :-D
Tried it again. This time no errors and the phone rebooted. But now Superuser keeps on FC .
Reinstalled superuser, updated and busybox. Now rooted! Thnx.
BTW, you might wanna update the OP. Do not batch the commands under windows. I tried several times. I think there is something wrong with the timing. Manually entering all the commands in a shell works. But putting them in a batch will enter them too fast for ADB to handle (under Windows shell) I guess.
Die Bruine said:
BTW, you might wanna update the OP. Do not batch the commands under windows. I tried several times.
Click to expand...
Click to collapse
I don't know, it seemed to work fine for me with the script I made. Anyways, glad it worked out for you.
Now that we can re-root as well as (somewhat convolutedly) fastboot ourselves back on track, we're good to go.
droidian1441 said:
Ive got the same situation over here. I can stick without root, just the fact that I would have it again would be just the single reason to do it. Lol.
Sent from my DROID4 using Tapatalk 2
Click to expand...
Click to collapse
As stated in the guide, you need to be in camera mode not mass storage.
Sent from my DROID4 using XDA
I was trying to do it manually last night before the OP posted the batch file, and it was not working because I was in MTP instead of PTP. SO make sure you use PTP.
Put your phone in camera (PTP) mode for the USB connection and it should work fine. Also, after it completes, download Superuser from the market.
I ran Titanium Backup after everything and it told me it needed to fix my su binary permissions or something like that... I let it do its thing... Either way, IT WORKED!!!!!
I put it in camera mode and made sure usb debugging is enabled. Then I ran the script for windows. Still getting the device not found error throughout. Really don't know what's going on.

[MOD][P905] selinux permissive on stock kernel LTE QUALCOMM ONLY!

At first, I am not liable for any harm or damage that may happen to your device!
If you have su and didn't trigger knox, I CANNOT guarantee that running this script won't cause 0x1!
Requirements:
1) P905/viennalte/Qualcomm based model ONLY (won't work on Exynos devices. MIGHT work on other Qualcomm LTE deices from Note Pro and Tab Pro series or even S5 / Note 3 etc - feel free to repost but give credits AS THIS METHOD SEEMS TO BE COMPLETELY NEW! ) running 4.4.2 stock;
2) root access with SuperSU (using cf-root - credits to chainfire);
3) busybox installed (I do recommend this paid installer: https://play.google.com/store/apps/details?id=stericson.busybox.donate , MOST PROBABLY free version will be more than enough, too, but I haven't tested it as I have license...)
4) Android Terminal Emulator installed ( free at: https://play.google.com/store/apps/details?id=jackpal.androidterm )
Installation:
1) download file permissive_via_kmem.sh using below link and put it in the root of internal memory (so it will be placed in: /sdcard/permissive_via_kmem.sh)
2) run Android Terminal Emulator
3) at command line, type:
Code:
su -c /sdcard/permissive_via_kmem.sh
(give it an access if requested)
4) voila.
Alternative: if u have init.d support just put the file in /system/etc/init.d to make permissive on every boot
Additional info for advanced users:
1) samsung decided to compile kernels for newer 4.4.2 roms with a flag (a kernel variable) forcing selinux enforcing mode
2) as kernel itself cannot be modified after compiled, it was impossible to set permissive mode using shell or even by repacking kernel's ramdisk, at least on Qualcomm LTE devices
3) custom kernel can do the job, but samsung's sources are broken, at least for P905, and it refuses to boot at all...
4) however, there is a workaround...
5) we cannot change kernel binary to run with different flag out of the box BUT we can obtain it's placement (address) directly in kernel memory space on running kernel and write different value DIRECTLY into the memory, hacking the kernel to make it think that the flag was different
6) for this purpose i believe we have to disable restrictions to access kernel pointers (done via sysctl)...
7) ...then read the output of /proc/kallsyms which will provide a list of all kernel variables along with their addresses in kernel memory space...
8) ...filter out a boolean variable selinux_enforcing which is responsible for all the troubles...
9) ...and write raw 00 byte into the address where the variable value is stored, via /dev/kmem.
Download:
http://www12.zippyshare.com/v/89625246/file.html
Noob question
Could you explain to a newb what this does?
I've read this article on it and still can't fathom what benefits I'd have from changing it to permissive: http://www.androidpolice.com/2013/10/31/kitkat-feature-spotlight-selinux-defaults-to-enforcing-rather-than-permissive-other-new-security-features/
And thank you.
cavkic said:
Could you explain to a newb what this does?
I've read this article on it and still can't fathom what benefits I'd have from changing it to permissive: http://www.androidpolice.com/2013/10/31/kitkat-feature-spotlight-selinux-defaults-to-enforcing-rather-than-permissive-other-new-security-features/
And thank you.
Click to expand...
Click to collapse
Check this
Well, if i'd try to express it in a simple way, from the user's point of view permissive mode is equal to selinux turned off at all, except it is logging (and only logging...) all the warnings caused by security violations, which would result in an error in enforcing mode. Permissive mode let you avoid strict security policies defined by manufacturer (and NSA - yeah, the real spies - which is maintaining general selinux rules), but also gives the possibility of establishing possible issues which may appear after switching to "really secure" enforcing mode.
And if you are asking about the exact, disturbing (ofc if security is not your main priority...) effects of enforcing mode that may affect end-users, we may start from: troubles with write-access to some (mostly external, but i have personally fought with with an issue of non-writeable internal sdcard, too) medias (well, to be honest, I do hope that my discover will help in building 100% working custom recovery...), troubles with non-working system mods resulting from bad selinux file labels, troubles with wiping partitions (ie. wiping cache or even swapping modded system lib sometimes has to be followed by triggering restorecon command on that filesystem (restore selinux context), which is leading to ie. losing root access, which may be fixed by flashing supersu again, etc etc, non working apps (especially related to modifying sensitive system parameters or resources), unchangeable system properties, unreachable functionalities, blah blah blah.... This topic had been widely discussed on xda and over the internet.
On the contrary, if you like to use your device as-is and you're not interested in modding/tweaking it, you will probably not need this mod, as you will gain nothing - but lose a little bit of security... For heavy modders, although, it's a must-have.
Btw can anyone confirm if it's working? I assume that I was looking for solution for some time, made some other changes to the environment meanwhile, so I cannot be 100% sure that above script alone is absolutely enough (but in theory it should...), however, even if it is not, it's just a matter of 1-2 days to figure out what additional, previously-well-known steps, such as running "setenforce 0", may be required in addition.
And as a brief summary: YES, my selinux is now really Permissive, both when running getenforce command and in system settings!
Wysłane z mojego SM-P905 przy użyciu Tapatalka
After following all steps getenforce still returns enforcing and in system it also shows enforcing.
If I try running setenforce I get permission denied.
Ok, can you enter:
Code:
su
printf '\x00' | su -c dd of=/dev/kmem seek=$( printf '%d\n' '0x'`cat /proc/kallsyms | grep ".*\ selinux\_enforcing" | cut -f 1 -d " "` ) bs=1 count=1 conv=notrunc
into terminal and tell me what's the output and/or the enforcing state??
Wysłane z mojego SM-P905 przy użyciu Tapatalka
As requested
Output:
/dev/kmem cannot open for write: permission denied
getenforce still returns Enforcing
[email protected]:/ $ cd /dev
[email protected]:/dev $ ls *mem*
ashmem
kmem: Permission denied
mem: Permission denied
ramdump_audio-ocmem
ramdump_smem
smem_log
1|[email protected]:/dev $
Same result in # mode
RaSand said:
As requested
Output:
/dev/kmem cannot open for write: permission denied
getenforce still returns Enforcing
[email protected]:/ $ cd /dev
[email protected]:/dev $ ls *mem*
ashmem
kmem: Permission denied
mem: Permission denied
ramdump_audio-ocmem
ramdump_smem
smem_log
1|[email protected]:/dev $
Same result in # mode
Click to expand...
Click to collapse
I assume that you have ran the command as root (ie didnt forget about 'su' before the main command)...? Your logs show non-root mode, but ur saying about '#' mode at the end, guess you mean su... Assume that all we do here requires root shell first to be opened, and the output even if similiar, may vary in details between non-root and root mode, so don't forget to get privileges before running anything below...
If so, I guess default policy prevents writing to /dev/kmem in enforcing mode by setting its selinux context to a special one, dedicated only for /dev/kmem and /dev/mem.The working solution is to repack kernel (not same, but, indeed, a lot easier, than recompile - changes won't affect the kernel binary code, but it's ramdisk part, only) with modified policy defaults, which will treat /dev/kmem as a genuine device, not a "sensitive" one. I can provide the one repacked for my own purposes, however, befoure such an intrusion we may want to try other solutions I can think of (again, cannot test it as I ve added many different mods in many different places, I would need to go back to stock to test it, but I need my device 100% steady and configured for my job this week. Hope you'll help me in solving this out, it shouldnt take long...).
Notice: Again, ALL BELOW COMMANDS SHOULD BE RUN IN ROOT MODE. That means you shall enter "su" command alone before trying any of those steps, and the Terminal will switch to a root shell, which is confirmed by switching the last sign in the prompt from '$' to '#'.
Notice 2: if it is written - after some steps - to try switching to permissive mode again, it should be done by running the command from MY PREVIOUS POST only, as it is equal to longer version from the script, just closed within shorter one-liner command... the command should change the mode to permissive itself and no further steps are needed.
1) run following:
Code:
ls -lZ /dev/kmem >/sdcard/info.txt
and paste the exact output (which has been saved at /sdcard/info.txt) here so I can gather further info about issue. Dont make a test of the main script here as nothing has been changed. After that...
2) we can try to set different context (a default one for dev files) manually. Again, it might be impossible as of selinux policy, but worth trying. Enter as root:
Code:
busybox mount -o rw,remount /
chcon u:object_r:device:s0 /dev/kmem
if error, paste it here. If no error, test if permissive mode script is working.
3) we can try to modify selinux policy in temporary ramdisk file to prevent giving /dev/kmem a special context and then restore context of whole /dev to it's "defaults", however, those "defaults" would be our modified ones. Possible issues: not sure if the restoring default context will make use of modified policy or would it use only the policy loaded on-boot (and as the ramdisk is temporary, policy modifications will disappear too within reboot). After getting root, enter:
Code:
busybox mount -o rw,remount /
sed -i "s:^.*\/dev\/[k]*mem.*$::g" /file_contexts
setprop selinux.reload_policy 1
restorecon -R /dev >/dev/null 2>&1
after that - if no errors - check if the switching works.
4) if none of the above is working, guess we'll need to repack stock kernel with a ramdisk content modified in the same way as in step 3. When embedded in kernel, the changes to the policy rules will be seen every boot and they will affect /dev/kmem in a persistent manner. This will let you write to it for sure. I will provide a ready repacked boot.img, so we can avoid repacking at all. This however is not a very satisfying solution, as my goal was not only to achieve permissive mode, but to achieve it without any changes (even if they are much less disturbing than recompiling kernel from source) to boot partition. But hey, first check out on-the-fly solutions above, as they are much less intrusive to a device, coz won't require reflashing kernel/boot partition.
EDIT: remount command added to step 2, repeat if you had error with changing the context.
Thanks for your effort.
[email protected]:/ $ su
[email protected]:/ # ls -lZ /dev/kmem >/sdcard/info.txt
/dev/kmem: Permission denied
1|[email protected]:/ #
info.txt is empty
chcon: Could not label /dev/kmem with ubject_r:device:s0: Permission denied
2|[email protected]:/ #
waiting for code for 3)
same result in step 2 with added remount
---------- Post added at 04:55 PM ---------- Previous post was at 04:30 PM ----------
It swallowed all commands in 3) BUT re running the script didn't change anything. After please wait.... done it still says selinux is set to Enforcing. Sorry.
getenforce returns enforcing
setenforce to 0 or Permissive doesn't change a bit.
seems it has to be done the hard way
better luck next time
RaSand said:
[email protected]:/ $ su
[email protected]:/ # ls -lZ /dev/kmem >/sdcard/info.txt
/dev/kmem: Permission denied
1|[email protected]:/ #
info.txt is empty
chcon: Could not label /dev/kmem with ubject_r:device:s0: Permission denied
2|[email protected]:/ #
waiting for code for 3)
same result in step 2 with added remount
---------- Post added at 04:55 PM ---------- Previous post was at 04:30 PM ----------
It swallowed all commands in 3) BUT re running the script didn't change anything. After please wait.... done it still says selinux is set to Enforcing. Sorry.
getenforce returns enforcing
setenforce to 0 or Permissive doesn't change a bit.
seems it has to be done the hard way
better luck next time
Click to expand...
Click to collapse
Your errors are quite strange, as it seems that you don't even have permissions to check the simple content of a directory...
Try to run commands from step 1 - 3 again, but with slight modifications (below), so theyll run in separate, undoubtly-rooted shell... Test also with modded command (you can try it alone before in the very beginning...)
Also: please run 2 and 3 in reversed order, ie. first step 3 and if not working, without rebooting, run step 2...
Btw are you using SuperSu 1.99? If no - after trying all below options, upgrade SuperSu from the Play Store, run it to update the binaries, reboot. check commands again. If still the same, install update to /system using option from its menu (it will do some cleanup and ask to reboot, after that you have to run option again, this time it will perform installation, after which you have to reboot again - after boot run SuperSu and check if the option is greyed out, if yes, everything went fine) and check all steps once again...
Here we go.
Main command:
Code:
su -c printf '\x00' | dd of=/dev/kmem seek=$( printf '%d\n' '0x'`cat /proc/kallsyms | grep ".*\ selinux\_enforcing" | cut -f 1 -d " "` ) bs=1 count=1 conv=notrunc
Step 1 v2:
Code:
su -c ls -lZ /dev | grep kmem >/sdcard/info.txt
Step 2 v2 (formerly step 3 ):
Code:
su -c busybox mount -o rw,remount /
su -c sed -i "s:^.*\/dev\/[k]*mem.*$::g" /file_contexts
su -c setprop selinux.reload_policy 1
sleep 3
su -c restorecon -R /dev
Notice: I am not sure if setprop selinux.reload_policy 1 is enough to force sammy's android (which is a really giant b***ch to hack when compared to any other android...) to reload the policy, this may really work, but only if the policy is reloaded on-line using new defaults. Later I will look for that information...
Step 3 v2 (formerly step 2 - please run directly after step 2v2, without rebooting...):
Code:
su -c busybox mount -o rw,remount /
su -c chcon u:object_r:device:s0 /dev/kmem
Notice: step 3 - when ran fine - might now print some errors that it cant access some stuff in /dev - this is absolutely ok. But formerly I disabled the output at all (not to confuse you with some strange errors), but it resulted in lack of possibility to find out if the command ran AT ALL or if it escaped because of no permissions on the very beginning.
Before we go on here let's get a few things out of the way.
1) please advise where i should get supersu 1.99 from. I'm on 1.94 and in my country (GE) there is no newer version available in the play store.
2) first thing I usually do when I start the terminal is type "su"
3) I'm an old man. So please be patient
that said let's give it another try
---------- Post added at 06:42 PM ---------- Previous post was at 06:11 PM ----------
This is starting to test my temper. I guess I will put the steps into files and run them with gscript. Hang on. Might take some time
---------- Post added at 07:30 PM ---------- Previous post was at 06:42 PM ----------
Guess I had it for today. No changes whatsoever.
Here is what I did
installed supersu to /system. Option is greyed out now
made a new script for every box of code. Main and step 1 to 3
Made copies and added some echo lines so I could see if scripts work and/or finish correctly
executed scripts with gscript in the given order
No echo in step 1 to 3
ran original code
same result.
don't know what else to try.
sorry
RaSand said:
Before we go on here let's get a few things out of the way.
1) please advise where i should get supersu 1.99 from. I'm on 1.94 and in my country (GE) there is no newer version available in the play store.
2) first thing I usually do when I start the terminal is type "su"
3) I'm an old man. So please be patient
that said let's give it another try
---------- Post added at 06:42 PM ---------- Previous post was at 06:11 PM ----------
This is starting to test my temper. I guess I will put the steps into files and run them with gscript. Hang on. Might take some time
---------- Post added at 07:30 PM ---------- Previous post was at 06:42 PM ----------
Guess I had it for today. No changes whatsoever.
Here is what I did
installed supersu to /system. Option is greyed out now
made a new script for every box of code. Main and step 1 to 3
Made copies and added some echo lines so I could see if scripts work and/or finish correctly
executed scripts with gscript in the given order
No echo in step 1 to 3
ran original code
same result.
don't know what else to try.
sorry
Click to expand...
Click to collapse
Stay cool. I am a (quite) young man, but I have patience, too ;]
No output when running *something* as su = faulty su installation (maybe)...
Please download SuperSu 1.99 (flashable cwm version) from here: http://forum.xda-developers.com/showthread.php?t=1538053 and put it somewhere on internal sdcard
Download my "almost-working" TWRP recovery image: http://www53.zippyshare.com/v/30690424/file.html
Put it in internal mem so its path will be /sdcard/twrp2.img
Run terminal emulator (CAREFULLY WITH THE PARTITION NUMBERS!)
Code:
su
dd if=/dev/block/mmcblk0p15 of=/sdcard/recovery.backup.img
sleep 1
dd if=/sdcard/twrp2.img of=/dev/block/mmcblk0p15
sleep 1
sync
reboot recovery
In recovery, flash downloaded supersu zip. Reboot.***
Try commands again.
Maybe your busybox is bad? Can you tell me the output of command busybox written alone without further params?
***(btw the recovery may be useful, but it is not-fully-working, however, it is working AT ALL... be aware of issues:
- it cannot write backups to exfat external cards, vfat/fat32 only
- it may mess the selinux context, especially for cache partition after wipe. solution: from twrp run advanced -> console (or terminal? dont remember) and run
restorecon -R /cache
- if u ever have a bootloop after flashing a (even reliable...) zip, you should get back to twrp, click mount menu, mount everything, switch to advanced -> console and run:
restorecon -R /system
restorecon -R /data
restorecon -R /cache
selinux contex will be fixed BUT it will mess context for su binary, so in the end flash supersu again and reboot, everything will be ok.
If you want to revert, just do:
dd if=/sdcard/recovery.backup.img of=/dev/block/mmcblk0p15
).
And last but not least, kernel which I have promised (BUT if you use it, I will lose my only tester heheee):
http://www46.zippyshare.com/v/63874309/file.html
Please be aware that there are some other tweaks included (like unsecure adb, faster filesystem mount options but with higher risk of data loss, etc).
Put b4.img to /sdcard/b4.img
Run:
Code:
su
dd if=/dev/block/mmcblk0p14 of=/sdcard/boot.backup.img
sleep 1
dd if=/sdcard/b4.img of=/dev/block/mmcblk0p14
sleep 1
sync
reboot
You can revert to stock by dd if=/sdcard/boot.backup.img of=/dev/block/mmcblk0p14 (or by flashing full stock by odin). Would be glad if you can confirm that mode is permissive using this repacked kernel (HOPE IT WILL!!!!) and after some time you'll flash the backup back, to help me solving the case, as i suppose that there IS possibility of permissive without the kernel flash and I need a tester ;} It would be reeeeeeaaaaaaaally nice...
BE AWARE THAT:
- it's for note pro 12.2 LTE ONLY!!!! also called viennalte or SM-P905... It WON'T work on other devices and it may damage them (for example, coz of different mmcblk numbers...)
- messing the mmcblk0pxx number may cause an unrecoverable harm to your device (especially if you overwrite bootloader partitions or your efs partitions where unique imei is stored), it's 14 for kernel (boot) and 15 for recovery
- your knox WILL be tripped (if it hasnt been tripped yet... but it's not very probable )
- on the very first boot screen, a warning messages may appear in the left-top corner, about some warranty stuff. Ignore them, they'll disappear after reverting boot/recovery to stock.
Regards.
Just done flashing twrp and supersu(now 1.99)
i will not give up that easy, don't worry.
Just to be on the safe side i downloaded b4. Maybe you should remove it for the moment.
Looks like fun being the most important part of the team.lol.
btw. Knox was tripped about 2 hours after i got the device
busybox is v1.22.1 (2014-01-25 17:27:18)
---------- Post added at 10:05 PM ---------- Previous post was at 09:15 PM ----------
This it what happened after the last command in step 2 was executed
Could not label /dev/cpuctl with ubject_r:cpuctl_device:s0: Operation not supported on transport endpoint
Could not access /dev/kmem: Operation not supported on transport endpoint
Could not access /dev/mem: Operation not supported on transport endpoint
Could not label /dev/pts with ubject_r:device:s0: Permission [email protected]:/ #
After this I will reboot
127|[email protected]:/ # dd if=/sdcard/b4.img of=/dev/block/mmcblk0p14
18468+0 records in
18468+0 records out
9455616 bytes transferred in 2.044 secs (4626035 bytes/sec)
[email protected]:/ # sync
[email protected]:/ #
---------- Post added at 02:08 PM ---------- Previous post was at 02:00 PM ----------
One would expect to have a new kernel after the above, but guess what
[email protected]:/ $ su
[email protected]:/ # getenforce
Enforcing
[email protected]:/ # setenforce Permissive
127|[email protected]:/ # getenforce
Enforcing
[email protected]:/ #
and the kernel set the warranty bit for kernel change, but it didn't make it to block 14 as I still have the stock kernel
RaSand said:
After this I will reboot
127|[email protected]:/ # dd if=/sdcard/b4.img of=/dev/block/mmcblk0p14
18468+0 records in
18468+0 records out
9455616 bytes transferred in 2.044 secs (4626035 bytes/sec)
[email protected]:/ # sync
[email protected]:/ #
---------- Post added at 02:08 PM ---------- Previous post was at 02:00 PM ----------
One would expect to have a new kernel after the above, but guess what
[email protected]:/ $ su
[email protected]:/ # getenforce
Enforcing
[email protected]:/ # setenforce Permissive
127|[email protected]:/ # getenforce
Enforcing
[email protected]:/ #
and the kernel set the warranty bit for kernel change, but it didn't make it to block 14 as I still have the stock kernel
Click to expand...
Click to collapse
Your two posts above confirm that SU version was not the issue, as it is still preventing from modyfing anything related to kmem, sorry for effort, attough hope you'll at least enjoy included, almost-working twrp, as it seems to be only one capable of flashing zips and doing backups and restoring them on p905 floating around (if you use exfat card for everyday use, my recommendation is to use another one, ie. 8 gig, which are cheap as hell, format it to fat32 (in android it's recognized as vfat) and use it for exclusively for backup purposes, at least until someone establishes a better solution. It's not that bad after all plus it gives you real possibility of experimenting with the device without need to worry about configuring it again from the beginning if something fail. Btw please be aware if in any case, after restoring backup/flashing zip/clearing cache you'll receive a bootloop AND/OR after booting you/apps won't be able to write to any part of internal memory (like /sdcard or /cache), just get back to twrp, use console and run restorecon commands for all partitions AND -as restorecon will break su - reflash su. ALSO - if anytime TWRP on exit will prompt you with a proposition of rooting the device itself - don't do that, the only proper way of fixing su is reflashing it from the genuine zip (or with odin, but avoid that as cf-root includes older version). Uh, isn't it a offtopic? Sorry..
The kerne IS stock (as to the binary part) but with modified ramdisk (repacked) including changed policy of accessing /dev/kmem. If you have kernel warranty bit warning on boot, you have flashed it succesfully ( the message will disappear when you flash back FULLY-stock kernel back - also, i dunno why but it says "kernel is not enforcing" but it's not YET true! It will say the same even if I repack kernel without any changes, so it's quite misleading...), although kernel version/compilation number nor any extra features will not change in the system coz the kernel base is absolutely the same (and it has to stay the same until Samsung release sources that work, coz current one won't).
To really, really confirm that you have flashed my kernel and that the policy of writing to memory has been removed, please open /file_contexts file (it lies in the very root of the filesystem) in any text editor within Android, and look for lines with /dev/kmem or /dev/mem. They should be commented out by "#" in the beginning - or deleted at all (dont remember which one method I did use...). If so, you can be sure that you have flashed repacked kernel succesfully (and also that I have uploaded the proper one, with changed policy...).
If you have checked above, you may be sure that after every boot to Android, now, the new policy (without restrictions to /dev/kmem, which were commented out/deleted) will be loaded. I don't think that restorecon -R /dev will be no longer necessary after that, as the /dev directory is virtual and created on every boot, so its previous, restricted security labels are not preserved between reboots and they are assigned according to current policy, only - but you can run it to check if you see any errors for /dev/kmem (and you should NOT see them... there might be other, like for /dev/cpuctl etc, but it doesnt matter...).
After that, there should be no further doubts that you have unlocked /dev/kmem for writing!
On this step you still need to run the command from my post on top of the topic, this one:
Code:
su
printf '\x00' | su -c dd of=/dev/kmem seek=$( printf '%d\n' '0x'`cat /proc/kallsyms | grep ".*\ selinux\_enforcing" | cut -f 1 -d " "` ) bs=1 count=1 conv=notrunc
setenforcing alone WILL NOT WORK EVEN NOW, only the script above helps. I guess you avoided that after flashing kernel, coz of misleading boot warning...
Then check enforcing status. Now it really should work.
If we achieve a success, I'd rather release a fully-featured-repacked-kernel, with built-in kmem script, so it will be permissive from the very beginning (PLUS it will be in a good mood to close possibility of further writing to /kmem after that one single write, as it is really serious security hole, to be honest, to let anyone write to any part of memory directly..., and also include init.d support out-of-the-box as well).
Sorry for letting you wait that long. I was out in woods all day and did not even take the Tablett with me. Besides that there was no service whatsoever.
After running your script, wich for whatever reason I didn't do yesterday, I do have permissive selinux. As you suggested I play with it a couple of hours till bedtime and re flash stock after that to do more testing if you come up with new ideas and need a tester.
bee back in the morning, or maybe before I lay my tired head to rest.
congrats for the job you did till now.
edit:
Just checked file_contexts and the lines for kmem and mem are commented out. So for the moment I'm definitely on your kernel. Thanks again
RaSand said:
Sorry for letting you wait that long. I was out in woods all day and did not even take the Tablett with me. Besides that there was no service whatsoever.
After running your script, wich for whatever reason I didn't do yesterday, I do have permissive selinux. As you suggested I play with it a couple of hours till bedtime and re flash stock after that to do more testing if you come up with new ideas and need a tester.
bee back in the morning, or maybe before I lay my tired head to rest.
congrats for the job you did till now.
edit:
Just checked file_contexts and the lines for kmem and mem are commented out. So for the moment I'm definitely on your kernel. Thanks again
Click to expand...
Click to collapse
good, thank you for testing and hope enforcing linux won't bother you again ;] you're probably a second man on the planet who is running your machine in permissive
and don't worry about anything, it's not a race or something. i am most thankful that you found a time to run all the suggested stuff, and for patience.
please however note that leaving open /dev/kmem shall be considered as a serious security hole! it allows root app to write ANYTHING to ANY part of memory. Well, that's was an obligatory warning, however, I was never scared too much with security issues and until now nothing bad happened so..
Let's summarize:
- now I am sure that my script is working BUT only after giving it possibility of writing to memory via /dev/kmem
- writing to /dev/kmem is possible only after changing the security policy, which lies in kernel's ramdisk
- the final appropach shall also CLOSE the access to /dev/kmem just after changing the selinux mode for security reason
- the aim is to make a complete modification which will make use of only one area of the device ie. system OR kernel, not both, as it is too intrusive:
- find a way to reload policy when device is on-line, so writing to /dev/kmem will be possible (it's a preferred method, no need to flash anything and no need to watch ugly warranty message - but I doubt if it's possible - it would be an equally dangerous security issue, there is no practical difference between letting write to memory and between letting to open the possibility of write to memory and then letting write to memory ... or
- implement the memory write technique straight in the kernel's ramdisk.
I will be back with new stuff, soon.
Before you surprise us with new stuff, could please change the command to revert to stock kernel in post #12. Somebody might get into trouble by just running the command and put the kernel in the wrong block. And while you are at it. It should be if=/ not if-/ in the code field.
RaSand said:
Before you surprise us with new stuff, could please change the command to revert to stock kernel in post #12. Somebody might get into trouble by just running the command and put the kernel in the wrong block. And while you are at it. It should be if=/ not if-/ in the code field.
Click to expand...
Click to collapse
Thank you, changes made, no one should flash the wrong block device (although flashing boot to recovery - which is possible, as the boot partition size is 2meg smaller than recovery - shall result in nothing but... booting the device when entering recovery mode ;] - that's just fyi, of course, mistakes corrected...)
esgie said:
Thank you, changes made, no one should flash the wrong block device (although flashing boot to recovery - which is possible, as the boot partition size is 2meg smaller than recovery - shall result in nothing but... booting the device when entering recovery mode ;] - that's just fyi, of course, mistakes corrected...)
Click to expand...
Click to collapse
Esgie, is there any further developments with this script? I've given it a shot and even after running the script, SELinux remains in Enforcing mode.
I see that you have the modified kernel for SELinux in permissive mode, but I really like the approach of having this script rather than using a modified kernel, so I'm wondering if in your process of getting the kernel to work, there might be something you've discovered that would make this script work as well.
Thanks.

[Recovery] [v500] CWM 6.0.5.1

ClockworkMod recovery (6.0.5.1) for LG G Pad 8.3 v500. This custom recovery installation package is for v500 models only. Built from source on 2014-12-13 by Jenkins.
Installation: Flash zip file with any custom recovery and reboot into updated CWM recovery.
Link: v500-CWM-6.0.5.1-20141213-recovery-signed.zip
MD5: 83150942a4f27006691472fa12159631
Note: An advantage to using the official CWM recovery with CM 11 is that the CWM recovery can be automatically updated with the CM Update tool, if enabled in the CM 11 developer options.
Manual Installation (first time installing custom recovery):
1) Gain root permission (ie; with Stumproot) and install SuperSU and Busybox.
2) Install Terminal Emulator or use ADB for opening up a shell (this example is using ADB).
Note: If using Terminal Emulator, make sure root access is given via SuperSU.
3) Download CWM installation zip file from the link above and manually extract it. Also, download the loki_tool binary from https://github.com/djrbliss/loki/archive/master.zip. The loki_tool binary is found in the "bin" folder of loki-master.zip after the file is extracted.
4) Copy recovery.img (contained in the CWM installation zip file from step #3) and the loki_tool binary (contained in the loki-master.zip file from step #3) to /data/local/tmp on your LG G Pad 8.3 v500 tablet with either ADB or a root explorer application and make loki_tool executable.
Code:
adb push recovery.img /data/local/tmp
adb push loki_tool /data/local/tmp
adb shell
su
chmod 755 /data/local/tmp/loki_tool
Note: Since the command "su" was entered, the shell has root permissions to proceed.
5) Patch the recovery.img into recovery.lok using loki_tool:
Code:
dd if=/dev/block/platform/msm_sdcc.1/by-name/aboot of=/data/local/tmp/aboot.img
/data/local/tmp/loki_tool patch recovery /data/local/tmp/aboot.img /data/local/tmp/recovery.img /data/local/tmp/recovery.lok
Note #1: At this point in the installation procedure, there have been no permanent changes to the system. If there is an error or warning while patching recovery.img and creating recovery.lok, then stop this manual installation procedure. In most cases, the problem is that the version of aboot.img found on the device is probably not exploitable with loki_tool. This manual custom recovery installation procedure must be started over again from the beginning after flashing a loki exploitable aboot.img to the device (downgrading firmware should help).
Note #2: If recovery.lok is created successfully without any errors or warnings, then continue with the final step. The shell should still be open with root (su) permissions enabled from the previous steps.
6) Flash recovery.lok file with loki_tool and reboot to new custom recovery.
Code:
/data/local/tmp/loki_tool flash recovery /data/local/tmp/recovery.lok
exit
exit
adb reboot recovery
Updated CWM to 20141120 sources.
sr: Fix vsync logic
* Use CLOCK_MONOTONIC to insulate from system clock changes.
* Normalize all timespec calculations to avoid overflow/underflow.
* Don't signal vsync if poll() fails.
Change-Id: If284ebf581309953c51b2f8d33d7d5800c636be5
sr: Fix screen flashing during wipe operations
* Clear buffer in draw_progress_locked() and always call this in
update_progress_locked(). This is necessary to ensure that all
backing frames in the graphics implementation get updated because
we aren't guaranteed to have any particular number of backing
frames.
* Remove dialogs on wipe operations since we are using the progress
animation now.
* Set progress indicator after showing "Formatting" text to avoid
momentary flicker.
Change-Id: I240d3b8e5c741c9f3ea4e5e17c1b9593e053888a
sr: Only use 4 items on wipe confirmation screens
* Large fonts in Touch UI prevent more than about 7 menu lines.
Change-Id: If523a85d67460c0ac4e012727d946eadb9c68436
Added guide to OP for first time custom recovery installation.
Edit: Updated guide to use loki_tool from github.
Hi,
I have tried this method and get an "unable to find" error as regard loki, seen in this picture i took.
I have placed both recovery.img and loki_tool as from your download links in data/local/tmp folder on lg
Where am i going wrong?
Thank you
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
When you type "adb shell" to open a connection, wait for the shell to open before typing "su". You will then notice that the terminal says "root" as the user. Make sure you have "dd" installed (this comes with installing Busybox). You can tell if dd is installed by typing "which dd" in the shell. If it returns with a path to dd, then it's there. I also noticed that you tried to chmod loki_tool before you have typed su to gain root. You only need to type su one time to get root permissions in the shell. You can tell it is using root because it shows you as the root user at the command prompt.
I am sorry for my dumbness, but i am new to this and not a clue what you are talking about lol.
I never typed su as i followed this procedure on youtube and copy and pasted your text.
I am trying to understand this adb method, but a noob tut is not available, thus trying anyway to get it to work obviously without success lol
https://www.youtube.com/watch?v=MVXX-YdhRU0
Best wishes
ADB needs root access in developer options. Attached screenshot.
Wingchundub said:
I am sorry for my dumbness, but i am new to this and not a clue what you are talking about lol.
I never typed su as i followed this procedure on youtube and copy and pasted your text.
I am trying to understand this adb method, but a noob tut is not available, thus trying anyway to get it to work obviously without success lol
https://www.youtube.com/watch?v=MVXX-YdhRU0
Best wishes
Click to expand...
Click to collapse
You are getting an unable to find error because you typed the name incorrectly (it is loki_tool not loki_tooldd). Be very careful that everything is exactly the same as the guide.
Edit: Also, when you type a command in ADB shell, wait for the command to finish before you type the next command. You can enter the next command in ADB when the prompt comes back.
Edit 2: After typing "adb shell", you only need to type "su" one time as long as you don't close the window.
Does it support f2fs?
I think f2fs support is not default for stock CM kernel. There aren't any customizations on this. This is from Jenkins.
Currently I'm using LP AOSP. Afaik, only LP available. On my Razr HD f2fs and CM12 works just great. Definitely noticeable faster with f2fs.
I have just noticed the loki-tooldd, i am positive i did not type that i,.e the dd on the end.
But i will again tomorrow, test this and come back with any results.
I am also never once typing SU, i assume the program is doing it automatically.
I will test and post pics also.
Thank you
Wingchundub said:
I have just noticed the loki-tooldd, i am positive i did not type that i,.e the dd on the end.
But i will again tomorrow, test this and come back with any results.
I am also never once typing SU, i assume the program is doing it automatically.
I will test and post pics also.
Thank you
Click to expand...
Click to collapse
I dont think ADB is working correctly for you because you are not getting the correct responses when you enter commands. It seems like your system is "hanging" when you enter commands in the adb shell.
Maybe you should try these commands in a Terminal Emulator shell instead of using an ADB shell. You will just need to install an extra root reboot application from Play Store so that you can easily reboot into the new recovery when you are finished.
Deltadroid said:
I dont think ADB is working correctly for you because you are not getting the correct responses when you enter commands. It seems like your system is "hanging" when you enter commands in the adb shell.
Maybe you should try these commands in a Terminal Emulator shell instead of using an ADB shell. You will just need to install an extra root reboot application from Play Store so that you can easily reboot into the new recovery when you are finished.
Click to expand...
Click to collapse
Thank you for you advice.
With terminal, I tried and copied the text provided, again gave same me errors and also the su and dd were there without me typing them.
It is coming to the point where i am giving up now as taking too much of my time.
Both are rooted and at least i can remove bloatware with root explorer etc and put my own stuff in, but would be nice to get this done and use custom roms, but simply not happening. @Tsjoklat, i do not see that option in developer options fella, checked 4 times to be sure.
Thank you loads fella, your a star and very helpful
Will You Do CWM Touch?
This version of CWM uses "swipe" gestures, but it isn't full touch. These versions of CWM are the official nightly builds. I was able to download the artifacts before they were removed for the next build in queue. Although, I plan on setting up a private build system pretty soon.
where am I wrong ???
HTML:
C:\Fastboot>adb devices
List of devices attached
07e7df499159c818 device
C:\Fastboot>adb shell
[email protected]:/ $ su
su
[email protected]:/ # adb push recovery.img /data/local/tmp
adb push recovery.img /data/local/tmp
* daemon not running. starting it now on port 5038 *
* daemon started successfully *
error: device not found
1|[email protected]:/ #
leardinet said:
where am I wrong ???
HTML:
C:\Fastboot>adb devicesList of devices attached07e7df499159c818 deviceC:\Fastboot>adb [email protected]:/ $ [email protected]:/ # adb push recovery.img /data/local/tmpadb push recovery.img /data/local/tmp* daemon not running. starting it now on port 5038 ** daemon started successfully *error: device not found1|[email protected]:/ #
Click to expand...
Click to collapse
It's out of order. First use adb to push the files, then use adb to open the shell.
Deltadroid said:
It's out of order. First use adb to push the files, then use adb to open the shell.
Click to expand...
Click to collapse
HTML:
C:\Program Files (x86)\Minimal ADB and Fastboot>adb push recovery.img /data/loca
l/tmp
cannot stat 'recovery.img': No such file or directory
C:\Program Files (x86)\Minimal ADB and Fastboot>
C:\Program Files (x86)\Minimal ADB and Fastboot>adb push loki_tool /data/local/t
mp
cannot stat 'loki_tool': No such file or directory
C:\Program Files (x86)\Minimal ADB and Fastboot>
C:\Program Files (x86)\Minimal ADB and Fastboot>adb shell
su
chmod 755 /data/local/tmp/loki_tool
su
[email protected]:/ $
[email protected]:/ $ su
the files recovery.img and loki_tool copied in the data/local/tmp/ with ES File explorer
busybox installed
Your log says that you first typed "adb shell" and then you tried to use "adb push" inside the shell. Commands that begin with "adb" do not work when you are inside the "Adb shell".
Type "exit" inside the shell to close it and then "adb push" commands will work.

Patching Sepolicy with Supolicy Tool, modifed file not produced.

I am in the position of having to manually apply the defult sepolicy patch, init,?*init_shell?* and?*recovery?*permissive, and as the title states when using the supolicy tool to modify my supplieded sepolicy it is not being produced and on closer inspection throwing an error. I have attached both the images and the sepolicy file I am trying to applie these change to.
Have I been doing something wrong or is the file corrupted??
If you need more info just ask
Note: when I first tried it inside an adb shell it reported a segumentation fault, but I was unable to reproduce that condition to be provided with as a screen shot.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
EDIT: I at least can say that the possibility of a corrupt file is now smaller becuse I am able to run dumpav and dump its contents to a txt file and then do afb pull back to pc. So amyone know any way to applie the defult P atchs needed to sysyemless root?
@Chainfire Since this is your binary files, you should know the most about it.
Commands to gain application root on emulator
Code:
adb shell df #Check Available Space
adb shell mount -o remount,rw /system
adb push su /system/bin/su
adb shell chmod 0755 /system/bin/su
adb push su /system/xbin/su
adb shell chmod 0755 /system/xbin/su
adb shell su --install
adb shell "su --daemon&"
adb install superuser.apk
adb install rootcheck.apk
I then proceed to patch the sepolicy file with the following commands
Code:
adb push sepolicy /data/local/tmp/sepolicy
adb shell su -c "supolicy --file /data/local/tmp/sepolicy /data/local/tmp/sepolicy_out" #There is no sepolicy_out file
adb shell su -c "chmod 0644 /data/local/tmp/sepolicy_out"
adb pull /data/local/tmp/sepolicy_out sepolicy_out
So what am I able to do?
Are you able to
A) Help me debug the problem
Or
B) Patch the sepolicy file and post the output back to me/here
Matt07211 said:
...
Click to expand...
Click to collapse
Works fine on my device... could be an x86 specific issue? Unfortunately I don't have any x86 devices to test with.
Thanks for that. Yes, I am trying to patch the policy for my armv8 (arm64) cpu device (just realised, but would trying to patch the sepolicy from one architecture using the supolicy for a different architecture have new the problem?, if so I feel dumb). And since I didn't have a spare device devce that met the requirements, I resorted to use the already setup emulator in my Windows installation.
I had proceeded to root and run the supolicy tool for which nothing out-putted (tried different directorys), I then created a new sub-directory, test, in /data/local/tmp and chmod it with read and write permissions. I tried again and failed, I then ran a dumpav in the sepolicy I was trying to patch and outputted it to /data/local/tmp/test/dumpav.txt which worked.
I am just wondering why it didn't work for me .
Thanks again for the sepolic_out file, I really do apperciate it.
Ah you're saying the segmentation fault occurred on the emulator? That's interesting. Might be reproducable on my end.
Note: look at my first image with cms in the foreground and near the bottom of the command window you should see the segfault message, around second last command or so.
To reproduce that segfault (hopefully):
1) https://software.intel.com/en-us/android/articles/android-44-kitkat-x86-emulator-system-image Download the system image from here (had to direct download instead of sdk as internet was running through profile and ask wouldn't work through it)
2) used the 2.78 SuperSu zip and run above commands to gain root
3) run above commands to try and modify sepolicy (it doesn't produce anything)
4) start an adb shell and then run the commands inside the shell. Know the outputs shown was segfault the first time running the commands, every time afterwards it would show the error in the above screenshots
If you figure out what cause the segfault can you please tell me ?
Matt07211 said:
Note: look at my first image with cms in the foreground and near the bottom of the command window you should see the segfault message, around second last command or so.
To reproduce that segfault (hopefully):
1) https://software.intel.com/en-us/android/articles/android-44-kitkat-x86-emulator-system-image Download the system image from here (had to direct download instead of sdk as internet was running through profile and ask wouldn't work through it)
2) used the 2.78 SuperSu zip and run above commands to gain root
3) run above commands to try and modify sepolicy (it doesn't produce anything)
4) start an adb shell and then run the commands inside the shell. Know the outputs shown was segfault the first time running the commands, every time afterwards it would show the error in the above screenshots
If you figure out what cause the segfault can you please tell me ?
Click to expand...
Click to collapse
Before I go do all this, can you make sure the issue persists with the v2.78 SR1 version from the BETA thread ? Some issues with supolicy were fixed in that release.
Started with a fresh emulator and the newest SuperSu and ran these commands to gain root (I am placing everything as described in update-binary in the right places just to eliminate one thing, missing dependencies)
Code:
adb shell df
adb shell mount -o remount,rw /system
adb push Superuser.apk /system/app/Superuser.apk
adb shell chmod 0644 /system/app/Superuser.apk
adb push install-recovery.sh /system/etc/install-recovery.sh
adb shell ln -s /system/etc/install-recovery.sh /system/bin/install-recovery.sh
adb shell chmod 0755 /system/etc/install-recovery.sh
adb push su /system/xbin/su
adb shell chmod 0755 /system/xbin/su
adb push su /system/bin/.ext/.su
adb shell chmod 0755 /system/bin/.ext/.su
adb push su /system/xbin/daemonsu
adb shell chmod 0755 /system/xbin/daemonsu
adb push su /system/xbin/sugote
adb shell chmod 0755 /system/xbin/sugote
adb push supolicy /system/xbin/supolicy
adb shell chmod 0755 /system/xbin/supolicy
adb push libsupol.so /system/lib/libsupol.so
adb shell chmod 0644 /system/lib/libsupol.so
adb push 99SuperSUDaemon /system/etc/init.d/99SuperSUDaemon
adb shell chmod 0755 /system/etc/init.d/99SuperSUDaemon
adb shell su --install
adb shell "su --daemon&"
adb install superuser.apk
adb install rootcheck.apk
No everything should be in place, and we now can eliminate one thing (supolicy not finding needed dependencies)
Opened up SuperSu and let it install/update binary (succesful)
I then proceeded to patch the sepolicy file like so
Code:
adb push sepolicy /data/local/tmp/sepolicy
adb shell su -c "supolicy --file /data/local/tmp/sepolicy /data/local/tmp/sepolicy_out"
I then did "ls" in the directory and no file out-putted. So I went into a shell and ran
Code:
supolicy --file /data/local/tmp/sepolicy /data/local/tmp/sepolicy_out
And it throw the error shown in the image below. First time running that command in shell it says stopped, but the second time it says stopped as well as segfault.
Keep in mind I am trying to patch a sepolicy file that originates from an armv8 cpu (arm64) on an x86 Intel emulator.
Any more info needed? I am happy to help @Chainfire
So, I think it has something to do with your emulator image (perhaps its too old ?)
I took SuperSU's ZIP file and extracted it, changed to that folder, then:
(note that my adb shell to my emulator image has # root by default)
Code:
adb push c:\download\sepolicy /data/local/tmp/sepolicy
adb push x86\. /data/local/tmp/.
adb shell
cd /data/local/tmp
chmod 0755 supolicy
LD_LIBRARY_PATH=/data/local/tmp:$LD_LIBRARY_PATH ./supolicy --file sepolicy sepolicy_out
exit
Resulting in:
Code:
supolicy v2.78 (ndk:x86) - Copyright (C) 2014-2016 - Chainfire
Patching policy [sepolicy] --> [sepolicy_out] ...
- Success
So, I'm really not sure what might be going on with your setup, but I don't think its SuperSU itself, but rather the emulator.
Note that to use supolicy --file, you only need supolicy and libsupol.so, you don't even need root.
Chainfire said:
So, I think it has something to do with your emulator image (perhaps its too old ?)
I took SuperSU's ZIP file and extracted it, changed to that folder, then:
(note that my adb shell to my emulator image has # root by default)
Resulting in:
So, I'm really not sure what might be going on with your setup, but I don't think its SuperSU itself, but rather the emulator.
Note that to use supolicy --file, you only need supolicy and libsupol.so, you don't even need root.
Click to expand...
Click to collapse
Hmm, I really don't know what is wrong, I will try exactly what you have done later today, to see If can reproduce the output. If it doesn't work then we can pin it down to the emulator itself. What emulator image did you use?
I also realise that so emulator are rooted in the sense that web shell has root acess, just wasn't sure what dependices supolicy had at the time.
Matt07211 said:
Hmm, I really don't know what is wrong, I will try exactly what you have done later today, to see If can reproduce the output. If it doesn't work then we can pin it down to the emulator itself. What emulator image did you use?
I also realise that so emulator are rooted in the sense that web shell has root acess, just wasn't sure what dependices supolicy had at the time.
Click to expand...
Click to collapse
I created an API 22 Google Nexus x86_64 AVD in Android Studio
I should be able to try that in about 20-30 mins after I download it, I was using api level 19, Intel's emulator image.
I ran these commands on the Intel api 19 x86 emulator image.
Code:
adb push libsupol.so /system/lib/libsupol.so
adb shell chmod 0644 /system/lib/libsupol.so
adb push /system/xbin/supolicy
adb shell chmod 0755 /system/xbin/supolicy
adb push supolicy /data/local/tmp/supolicy
adb shell chmod 0755 /data/local/tmp/supolicy
adb push sepolicy /data/local/tmp/sepolicy
adb shell
cd /data/local/tmp
chmod 0755 supolicy
LD_LIBRARY_PATH=/data/local/tmp:$LD_LIBRARY_PATH ./supolicy --file sepolicy sepolicy_out
and it results in the error(shown in screenshot)
Code:
libsepol.policydb_read: policydb magic number 0x464c457f does not match expected magic number 0xf97cff8c or 0xf97cff8d
-Failure!
I then tried it on the Intel x86_64 api 22 emulator image (running the same commands as the first one, resulting in a succes, with the file being outputted as the sepolicy_out.
So as you have stated @Chainfire , it looks like a problem with the emulator itself, and most likely not the supolicy tool.
Chainfire said:
So, I think it has something to do with your emulator image (perhaps its too old ?)
I took SuperSU's ZIP file and extracted it, changed to that folder, then:
(note that my adb shell to my emulator image has # root by default)
Code:
adb push c:\download\sepolicy /data/local/tmp/sepolicy
adb push x86\. /data/local/tmp/.
adb shell
cd /data/local/tmp
chmod 0755 supolicy
LD_LIBRARY_PATH=/data/local/tmp:$LD_LIBRARY_PATH ./supolicy --file sepolicy sepolicy_out
exit
Resulting in:
Code:
supolicy v2.78 (ndk:x86) - Copyright (C) 2014-2016 - Chainfire
Patching policy [sepolicy] --> [sepolicy_out] ...
- Success
So, I'm really not sure what might be going on with your setup, but I don't think its SuperSU itself, but rather the emulator.
Note that to use supolicy --file, you only need supolicy and libsupol.so, you don't even need root.
Click to expand...
Click to collapse
@Chainfire, I'm trying to patch sepolicy for a Samsung device running Nougat, so that Supersu can be installed in system mode. Could you confirm if the --sdk=24 parameter is required?
adb shell su -c "supolicy --file /data/local/tmp/sepolicy /data/local/tmp/sepolicy_out --sdk=24"
Thanks, appreciate your time.
ashyx said:
@Chainfire, I'm trying to patch sepolicy for a Samsung device running Nougat, so that Supersu can be installed in system mode. Could you confirm if the --sdk=24 parameter is required?
adb shell su -c "supolicy --file /data/local/tmp/sepolicy /data/local/tmp/sepolicy_out --sdk=24"
Thanks, appreciate your time.
Click to expand...
Click to collapse
Yes it is.
System mode hasn't been tested at all on 7.0 though. I'm not sure anybody has been able to get it to work at this point.
If you do, let me know and with the steps
Chainfire said:
Yes it is.
System mode hasn't been tested at all on 7.0 though. I'm not sure anybody has been able to get it to work at this point.
If you do, let me know and with the steps
Click to expand...
Click to collapse
Hmm wasn't aware of the lack of support for system mode in nougat, any plans to implement?
It seems system mode root renders the device unbootable according to reports from my tester.
Question, if I modify the supersu script to mount su.img from /system am I likely to hit issues?
Seems a strange query I know.
Reason is we have a Samsung device that for some reason will not boot from a source built custom Nougat kernel. Not sure if this is related to AVB yet or something else.
However we can get a half assed TWRP to boot with the stock kernel.
Only problem is, no matter what, only /system can be mounted and accessed with write permission due to permission denied issues with the rest of partitions. Pretty sure this is an SELinux issue.
Meaning systemless root cannot be installed as normal. No access to /data or /cache.
I can patch the boot.img ramdisk manually for systemless, but for root to work I would need to push su.img to system and mount it from there.
Is it possible to still mount su.img from system if I modify the ramdisk init as required?
The other avenue is to flash su.img to /data or /cache via ODIN.
If it was flashed to /cache would supersu automatically pick up its location and copy it to /data or would a flag need to be set?
Just trying to keep my options open here.
ashyx said:
Hmm wasn't aware of the lack of support for system mode in nougat, any plans to implement?
It seems system mode root renders the device unbootable according to reports from my tester.
Click to expand...
Click to collapse
It is on my list of things to test/fix, but that list is long and full of terrors.
Question, if I modify the supersu script to mount su.img from /system am I likely to hit issues?
Is it possible to still mount su.img from system if I modify the ramdisk init as required?
Click to expand...
Click to collapse
I think that could work, yes.
The other avenue is to flash su.img to /data or /cache via ODIN.
If it was flashed to /cache would supersu automatically pick up its location and copy it to /data or would a flag need to be set?
Just trying to keep my options open here.
Click to expand...
Click to collapse
SuperSU should pick it up from /cache. Alternatively, try SuperSU's FRP mode, which stores a copy of the needed files in the boot-image and re-creates /data/su.img as needed.
Chainfire said:
It is on my list of things to test/fix, but that list is long and full of terrors.
I think that could work, yes.
SuperSU should pick it up from /cache. Alternatively, try SuperSU's FRP mode, which stores a copy of the needed files in the boot-image and re-creates /data/su.img as needed.
Click to expand...
Click to collapse
Thanks, great info as always. Finally managed to root the damn thing by adding a short script to the init which copies su.img to cache.
However FRP mode sounds like a more elegant solution if I can work out how to implement it in the Ramdisk.
Much appreciate your input.
ashyx said:
So, I think it has something to do with your emulator image (perhaps its too old ?)
...
Could you confirm if the --sdk=24 parameter is required?
adb shell su -c "supolicy --file /data/local/tmp/sepolicy /data/local/tmp/sepolicy_out --sdk=24"
Thanks, appreciate your time.
Click to expand...
Click to collapse
Yea believe it was segfaulting due to the Android version, I think I was using KitKat and it wasn't working, bumped up to lollipop and above and it worked fine
Oh, the SDK parameter, never heard of it, what does it do? Geuss I'll Google that then.
ashyx said:
Thanks, great info as always. Finally managed to root the damn thing by adding a short script to the init which copies su.img to cache.
However FRP mode sounds like a more elegant solution if I can work out how to implement it in the Ramdisk.
Much appreciate your input.
Click to expand...
Click to collapse
I did the same thing for my device, add a little script to move it to data. Had no other way to get it to a locked down device without TWRP. Hehe. Good job
Can you please tell me how to manually patch init by supersu ?
I've googled a lot, but haven't found a way to manually patch init by supersu.
My model is Honor v10, there isn't a custom recovery, so i have to make a boot.img with supersu inside to get root.

[Temp ROOT] FireTV 3rd gen Cube (gazelle) > PS7646

Overview
This rooting method is based on a new vulnerability in the ARM Mali GPU driver (CVE-2022-46395) discovered by security researcher Man Yue Mo at GitHub Security Lab, to gain root access to the 3rd gen Cube that is on firmware PS7646/3550 or older. You can also check the older root method that works up to firmware PS7613/3701.
The exploit program (gazelle_buf) is run directly on the Cube to spawn a temporary root shell for quick access. On average it takes 20-60sec for the exploit to gain root access. For best results, run gazelle_buf after a fresh reboot.
Temporary Root
Open an adb root shell to for quick access admin access
Pros:
Access all files and folders from ADB
Simple to use, runs in RAM and doesn't make any changes to the Cube, no chance of bricking.
Remove app package protection so that you can enable/disable any app even without root (eg custom launchers, disabling updates, debloat, etc).
Cons:
Only enables ADB root
NOTE: raven_buf won't brick your device, but what you do with that root access can. DM-verity is still in place checking the integrity of the system/vendor partitions, do NOT modify anything in those directories, or the boot partition!!
Instructions
Enable ADB debugging in FireOS settings
Download, unzip and copy gazelle_buf to your Cube
adb push gazelle_buf /data/local/tmp/
Open an ADB shell and give gazelle_buf execution permission (only needs to be done once)
adb shell ---> opens a 'gazelle: / $' prompt
gazelle:/ $ chmod +x /data/local/tmp/gazelle_buf
Run the program. Takes 20-60sec on average.
Root access is gained when the '$' prompt changes to '#' (gazelle:/ $ --> gazelle:/ #)
gazelle:/ $ /data/local/tmp/gazelle_buf
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Disable package protections
Use gazelle_shrinker to open a root shell and delete all the apps listed in the file /data/system/PackageManagerDenyList
gazelle:/ # setenforce 0
gazelle:/ # echo '<?xml version="1.0" encoding="utf-8" standalone="yes" ?><map><set name="DenyListKeyPackages"></set></map>' > /data/system/PackageManagerDenyList
Disable Arcus Proxy, to keep package protections off
gazelle:/ # pm clear com.fireos.arcus.proxy
gazelle:/ # pm disable-user com.fireos.arcus.proxy
Disable Amazon's ability to block apps on your device (eg Launcher Manager)
gazelle:/ # pm disable-user com.amazon.adep
gazelle:/ # pm clear com.amazon.adep
Disable OTA updates
gazelle:/ # pm disable-user com.amazon.device.software.ota
gazelle:/ # pm clear com.amazon.device.software.ota
gazelle:/ # pm disable-user com.amazon.device.software.ota.override
gazelle:/ # pm disable-user com.amazon.tv.forcedotaupdater.v2
A reboot is required before the package protections removal takes effect. Check & confirm the list of disabled apps:
gazelle:/ $ pm list packages -d
Contributors:
Man Yue Mo, @Functioner, @Pro-me3us
Thanks to @Renate for many great tools
@RiCkLaR for tip on disabling ADEP and AppBlockList
reserved
reserved
is this for the latest update for the cube?
Eagle1337 said:
is this for the latest update for the cube?
Click to expand...
Click to collapse
Yes, this will work on any 3rd gen firmware including the most recent PS7646 from the last two weeks.
If you are still on PS7613/3701 and using the older method, I don't recommend updating to PS7646. I haven't seen any benefits to the new firmware, and it's likely just got more Amazon tricks & restrictions to look out for.
IF you care about an eventual bootloader unlock, if anyone ever finds a way , staying on an older firmware increases the chances of being able to use it.
Hello. Followed your instructions on my 3rd gen Fire TV Cube, and saw the ADB Shell prompt change from $ to #.
Then entered in the suggested shell commands to disable OTA updates etc.
I then rebooted my device.
I am a bit confused, as when I re-established ADB connection, the shell prompt is back to a $, and not #.
Is that normal?, ie. to change anything, I have to redo the process after each restart?
Excuse my ignorance, kind of new to all this stuff.
three6zerocool said:
Hello. Followed your instructions on my 3rd gen Fire TV Cube, and saw the ADB Shell prompt change from $ to #.
Then entered in the suggested shell commands to disable OTA updates etc.
I then rebooted my device.
I am a bit confused, as when I re-established ADB connection, the shell prompt is back to a $, and not #.
Is that normal?, ie. to change anything, I have to redo the process after each restart?
Excuse my ignorance, kind of new to all this stuff.
Click to expand...
Click to collapse
Read:
4. Run the program. Takes 20-60sec on average.
Root access is gained when the '$' prompt changes to '#' (gazelle:/ $ --> gazelle:/ #)
No you dont need to do it after every restart. It's disabled until you change it back..
three6zerocool said:
I am a bit confused, as when I re-established ADB connection, the shell prompt is back to a $, and not #.
Is that normal?, ie. to change anything, I have to redo the process after each restart?
Click to expand...
Click to collapse
Yeah that's to be expected. If you cleared the PackageManagerDenyList described in the op instructions, then you won't need root access anymore to disable/enable any apps.
If you need root access for something else, then you only need to run gazelle_buf again
gazelle:/ $ /data/local/tmp/gazelle_buf
gazelle:/# setenforce 0
If you need routine root access or to be able to grant SU to apps, you can check the description of bootless Magisk from the previous exploit. That would give you the ability to open a root shell whenever you type gazelle:/ $ su
I still consider bootless Magisk experimental until a handful of people report back that they have been using it for a month+. I can update the older start script to work with gazelle_buf if you want to test it out.
Pro-me3us said:
Yeah that's to be expected. If you cleared the PackageManagerDenyList described in the op instructions, then you won't need root access anymore to disable/enable any apps.
If you need root access for something else, then you only need to run gazelle_buf again
gazelle:/ $ /data/local/tmp/gazelle_buf
gazelle:/# setenforce 0
If you need routine root access or to be able to grant SU to apps, you can check the description of bootless Magisk from the previous exploit. That would give you the ability to open a root shell whenever you type gazelle:/ $ su
I still consider bootless Magisk experimental until a handful of people report back that they have been using it for a month+. I can update the older start script to work with gazelle_buf if you want to test it out.
Click to expand...
Click to collapse
Thanks for the reply and explanation.
I mainly wanted to use this exploit to stop Amazon auto removing Launcher Manager, as I like to use custom Launcher.
I think I have done things correctly, but just noticed that Launcher Manager has been removed again.
I am sure I entered all the commands in correctly, as I noticed inside LM that Amazon Updates etc were already blocked.
Could it be the settings I have used in LM?
ie. I used the old method and it brought up an ADB permission request, then I enabled the original handler, and chose my custom launcher. (Wolf Launcher)
Have also tried the new method, but LM still keeps getting removed.
What's been happening is that Launcher Manager disappears, and home button still goes to Wolf Launcher, but I can no longer access any settings menus. (until I reinstall LM)
three6zerocool said:
I mainly wanted to use this exploit to stop Amazon auto removing Launcher Manager, as I like to use custom Launcher.
Click to expand...
Click to collapse
@RiCkLaR posted about this earlier, and I think he's right. I'll add it to the instructions in the OP in a day once it's confirmed.
For now, it appears that Launcher Manager is disabled by the app Adep. You can disable it, and that should be enough to stop having to do any more reinstalls.
gazelle:/ $ pm disable-user com.amazon.adep
gazelle:/ $ pm clear com.amazon.adep
Since you have root, if you want, you can keep Amazon Launcher enabled, and only disable the Amazon homescreen. This will allow you to use your custom launcher, and not break Amazon Launcher dependent functions. Things that will work: Amazon App Store search, homescreen search, FireOS settings menu, remote recent button, other things i'm forgetting
EDIT: I forgot that doing this causes the LiveTV app to hammer the OS, so that app has to be disabled. Clearing the LiveTV app data appears to be enough to keep that app from misbehaving.
To do this follow these steps:
gazelle:/ $ pm disable-user com.amazon.firehomestarter
gazelle:/ $ pm enable com.amazon.tv.launcher
gazelle:/ $ /data/local/tmp/gazelle_buf
gazelle:/ # setenforce 0
gazelle:/ # pm disable com.amazon.tv.launcher/.ui.HomeActivity_vNext
gazelle:/ # pm clear com.amazon.tv.livetv
gazelle:/ # exit
Pro-me3us said:
Since you have root, if you want, you can keep Amazon Launcher enabled, and only disable the Amazon homescreen. This will allow you to use your custom launcher, and not break Amazon Launcher dependent functions. Things that will work: Amazon App Store search, homescreen search, FireOS settings menu, remote recent button, other things i'm forgetting
EDIT: I forgot that doing this causes the LiveTV app to hammer the OS, so that app has to be disabled.
To do this follow these steps:
gazelle:/ $ pm disable-user com.amazon.firehomestarter
gazelle:/ $ pm enable com.amazon.tv.launcher
gazelle:/ $ pm disable-user com.amazon.tv.livetv
gazelle:/ $ /data/local/tmp/gazelle_buf
gazelle:/ # setenforce 0
gazelle:/ # pm disable com.amazon.tv.launcher/.ui.HomeActivity_vNext
gazelle:/ # exit
Click to expand...
Click to collapse
Thankyou oh so much, that is fantastic advice, and I followed your above instructions, and it worked wonderfully.
You are right, it is really nice using the native preferences over Launcher Manager ones.
Also it is really good to be able to search for apps etc.
Thankyou once again!.
I was taking another look at the method in post #10, I think it's fine to keep com.amazon.tv.livetv enabled, and that just clearing the app data after disabling the Amazon homescreen is enough to keep the LiveTV app from hammering the OS. I made a small edit to the steps to clear data, rather than disable LiveTV.
Since you already ran through the steps above, you can just clear the LiveTV app data, and re-enable the app without root
gazelle:/ $ pm clear com.amazon.tv.livetv
gazelle:/ $ pm enable com.amazon.tv.livetv
To verify that there are no apps acting up, use
gazelle:/ $ top
It will show all the running apps, memory & CPU usage. When you are on your custom launcher homescreen, the Cube should idle at ~720-750% CPU usage free (800% total = 100% x 8 cores). Verify that LiveTV app isn't at the top of the CPU usage list using +50-100%.

Categories

Resources