grack warns Google and Sprint about EVO security hole - EVO 4G Q&A, Help & Troubleshooting

Grack is reporting that holes in Sense have made it ridiculously easy for any app to escalate itself to root. He notes in the post that "both Google and Sprint have been very proactive in plugging this hole." He also notes that, while he will be releasing his rooter tomorrow, he won't be explaining it for a week. This makes me wonder if there's an OTA in the works that will close at least his vulnerability in the meantime.

theillustratedlife said:
Grack is reporting that holes in Sense have made it ridiculously easy for any app to escalate itself to root. He notes in the post that "both Google and Sprint have been very proactive in plugging this hole." He also notes that, while he will be releasing his rooter tomorrow, he won't be explaining it for a week. This makes me wonder if there's an OTA in the works that will close at least his vulnerability in the meantime.
Click to expand...
Click to collapse
wow, this sounds like a serious security flaw. i'd prefer not to see a worm or malicious 3rd party app gaining root access through poorly coded HTC sense apps.
dont think it will remove NAND protection of /system in normal android mode.
it will provide an alternate way to achieving root access in normal android mode besides loading Flipz ROM.
wonder if removing all sense related software will remove this exploit?
guess we'll be able to start testing tomorrow...

joeykrim said:
wow, this sounds serious.
wonder if removing all sense related software will remove this exploit?
guess we'll be able to start testing tomorrow...
Click to expand...
Click to collapse
That's a good point, I guess AOSP 2.1 doesn't have this problem since he says its due to Sprint's additions.

Has HTC / Sprint ever been fast at rolling out an update?
I wouldn't worry, maybe an OTA months down the road, but I wouldn't count on anything within weeks...

The last Sprint phone I had was a RAZR, so I'm a bad source as to their history of timeliness; however, I wouldn't be surprised if they had a different strategy for pushing out a critical security patch than they would for a new system build.
They don't have to rewrite thousands of files against a new trunk build, bounce it between vendors, run extensive Android compatibility suites, etc. It's quite possible they have a few relatively simple changes to make to close grack's hole.

i bet they will patch it when they patch the tethering so that you have to pay for it. some time in july

there will be an update tomorrow. dont know the change log.......

so is it better to root or not to?

lawl
10 char

{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Wow, you had to dig up this thread over a year old just to post "lawl". I'm proud

Usually I hate resurrected threads, but this one deserves a second look.
At this point should we continue to wait for 2.3 root, or build a time machine to prevent the update from being rolled out?

Actually, yeah, this is definitely something worth looking at.
If the exploit still exists, it might be able to get root for people on the OG Evo 2.3.
Anyone look (like teamwin) look into this yet?

github said:
Wow, you had to dig up this thread over a year old just to post "lawl". I'm proud
Click to expand...
Click to collapse
Lmao I just hit the last page button
Sent from my PC36100 using XDA Premium App

Nick N said:
Usually I hate resurrected threads, but this one deserves a second look.
At this point should we continue to wait for 2.3 root, or build a time machine to prevent the update from being rolled out?
Click to expand...
Click to collapse
MultiDev said:
Actually, yeah, this is definitely something worth looking at.
If the exploit still exists, it might be able to get root for people on the OG Evo 2.3.
Anyone look (like teamwin) look into this yet?
Click to expand...
Click to collapse
Nope, sorry, this was right after the phone was released and long been fixed. All those with the original stock 2.3 are still SOL for now.

Related

damn wife tried to help me, and i think she screwed me even more...

So I just got my Evo, and out the box it already had the Anti-Root OTA Update installed... well she took hers to sprint today since she couldnt get Netflix to work, and they told her there was an update availible to fix that. so she downloaded it on hers and now netflix wirks great for her.
So she comes home, and grabs mine and updates it for me... trying to prove to me that she knows how to do some things... Now my software number is 4.24.651.1... yay... wonder when THIS one is gonna be cracked so i can finally root this thing!
sorry dude the root method isnt availabile yet but devs and unrevoked are workin on it i think they will have root method out by october bro
Leave her...
I believe you can flash the ruu back to 2.2 and root.
supe12sta12z said:
I believe you can flash the ruu back to 2.2 and root.
Click to expand...
Click to collapse
I have heard from a handful of people this wont work since I am S-on.
I know Unrevoked and all the smart people are working on it. I can wait. I just couldnt believe she actually touched my phone and updated it... she should know better!
Your netflix is working now, thank her.
NewZJ said:
Your netflix is working now, thank her.
Click to expand...
Click to collapse
i feel for you, but... XD!!!
My wife touched my phone once...
Good news is she's finally getting used to having 8 fingers...
NewZJ said:
Your netflix is working now, thank her.
Click to expand...
Click to collapse
well, yea... but I dont use it to much.. I tend to download things...
Mark_Hardware said:
My wife touched my phone once...
Good news is she's finally getting used to having 8 fingers...
Click to expand...
Click to collapse
Haha that made me laugh.....
jadden said:
i think they will have root method out by october bro
Click to expand...
Click to collapse
You can't be serious?!? Within 6 days people can find a way to root the EVO 3D, but the Gingerbread update that's been out for a month, can't be cracked?
I'm in no situation to get upset, I guess. I don't know a thing about how to do it, but I had to replace my rooted phone due to a cracked casing, and I just received the new one 2 days ago.
I'm missing all the goods....like Synergy.
when they think they know it all, let them do the hard work
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
mcwups1 said:
You can't be serious?!? Within 6 days people can find a way to root the EVO 3D, but the Gingerbread update that's been out for a month, can't be cracked?
Click to expand...
Click to collapse
Originally the Evo was rooted before it actually launched (thanks toast!). HTC has gotten better locking the Evo down since then.
Does this give you free access to her purse now? LOL
nm....Frustrated with Spint
Tell her that you have made a choice to leave her for your phone. and you want to have great sex with the HDMI port on your phone. lmao!!!!! Cause we all know it is that small since you can't tell her NOT to touch your phone. lol! but then again, girls will be girls. they'll do what they want anyway because they actually think they know what they are doing because some idiot at sprint told her that. lmao. anyway. hahahhahahahahaha. The only reason I root is to use the SO CALL FREAKING 10 DOLLARS a month they are stealing from us. Use as much internet as I can. hahahahahaha
Every one of you who would even joke about your wife the way you are should be ashamed of yourself. As for the OP, you should be kicked hard in the junk for such a disrespectful thread title.
this entire thread is making me laugh my ass off. hahahahhaa
Mark_Hardware said:
My wife touched my phone once...
Good news is she's finally getting used to having 8 fingers...
Click to expand...
Click to collapse
That's freakin rad! I thought my wife was the only one with 8 fingers now.
Sent from my PC36100 using XDA App
Did you leave your phone on the stove? Only time a woman should be able to find it.
Sent from my PC36100 using XDA App

[VZW]Verizon Updates Droid X (9/13/13)

My first droid was a Motorola Droid X. Moved on to the X2 and then the nexus. I'm not 100% positive, but I think the X came out in 2010. Both the X and X2 were EOL by VZW pretty quickly. Which I thought was odd especially since the X2 was the first dual core phone if memory serves me correctly.
Anyways my dad was telling me he got notified about a system update today. I told him there was no freaking way Verizon sent an OTA to his phone. So it was booting and when it booted back up I saw that message. (Picture attached.)
So the Droid X just got what looks to be an OTA kernel update. I honestly never thought that phone would see any kind of OTA, ever again.
So what do you think this means as far as an official 4.3 or possibly KitKat OTA from Big Red for our phones? I posted a topic in that phones forum, but I figured I would post it here and see what you guys thought about it and if it means maybe we will get an update. Just something to discuss. If I'm breaking the rules mods feel free to lock this.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
RoyJ said:
So what do you think this means as far as an official 4.3 or possibly KitKat OTA from Big Red for our phones? I posted a topic in that phones forum, but I figured I would post it here and see what you guys thought about it and if it means maybe we will get an update. Just something to discuss. If I'm breaking the rules mods feel free to lock this.
Click to expand...
Click to collapse
I don't think this belongs in the Galaxy Nexus forum for one, but there's absolutely no way it's even a 4.3 update, much less Kitkat.
Motorola long ago confirmed it wouldn't even get ICS, correct? Motorola during that time had a terrible habit of releasing phones that were practically EOL'd at launch (I know, I own a Droid 2 Global).
I can say with 99.9% certainty it's probably a small patch that does something like close exploits.
Yeah that's about all it does. Looks like it's a couple days old, too. Just got pushed to my dads phone today is all.
I just posted this here because our phone really wasn't updated that long ago by Verizon but a lot of forum members I see in different topics seem doubtful the Verizon nexus will ever see 4.3, let alone KitKit. I understand we're talking about kernel exploit patches vs operating systems here, but if they'll update a phone that old (just a patch or not) is there maybe hope they are working on our phone still? Maybe just wishful thinking? :/
RoyJ said:
Yeah that's about all it does. Looks like it's a couple days old, too. Just got pushed to my dads phone today is all.
I just posted this here because our phone really wasn't updated that long ago by Verizon but a lot of forum members I see in different topics seem doubtful the Verizon nexus will ever see 4.3, let alone KitKit. I understand we're talking about kernel exploit patches vs operating systems here, but if they'll update a phone that old (just a patch or not) is there maybe hope they are working on our phone still? Maybe just wishful thinking? :/
Click to expand...
Click to collapse
Well, it would be on Motorola and Google to make the updates for the Droid X2 and the Galaxy Nexus, respectively. Verizon's only part is in their "extensive testing" that delays everything to ensure phones aren't doing something to screw with their network (but of course, Apple is exempt from these testing regulations, I guess they're somehow more trustworthy than Google).
So, it's not really Verizon potentially updating the Galaxy Nexus, it's Verizon accepting and pushing out Google's update (hypothetically- we don't know if they will bother updating the toro devices to 4.3+ or not).
This means that Motorola would have to make an update and submit it to Verizon, and considering they have already said the device will not be updated past Gingerbread, I don't think that will happen.
That's why I really only advocate getting onto a GSM carrier and buying an unlocked Nexus device from Google to anyone I know who expects timely Android updates.
The Verizon galaxy nexus will eventually be updated. Likely after the next update so WiFi auto connect isn't broken. Right now it is and that's a major issue.
Sent from my Nexus 7 2013 using xda premium

[REQUEST]AOSPA 4.0+ for VZW HTC One

I'm hoping that someone wants to take up the task of porting AOSPA 4.0+ from the GSM One to us Verizon variants.
Link to OG thread: http://forum.xda-developers.com/showthread.php?t=2315236
Leraeniesh said:
I'm hoping that someone wants to take up the task of porting AOSPA 4.0+ from the GSM One to us Verizon variants.
Link to OG thread: http://forum.xda-developers.com/showthread.php?t=2315236
Click to expand...
Click to collapse
Download the zip. Unpack it. Delete the getprop portion of the updaterscript. Flash it and see what happens. The mount points match our vzw...should work.
I could try doing it, I used to back in the samsung stratosphere days. lol
Don't expect anything special.
Leraeniesh said:
I'm hoping that someone wants to take up the task of porting AOSPA 4.0+ from the GSM One to us Verizon variants.
Link to OG thread: http://forum.xda-developers.com/showthread.php?t=2315236
Click to expand...
Click to collapse
I'm surprised that you haven't tried it yourself. You've been in the community longer than many of us, and have a pretty large collection of devices it seems. Not trying to be sarcastic at all. Just figured you might try porting it yourself, for your use; and if it rocks you could always share it with us. Good luck! You can do it!!:good:
xRogerxC said:
I'm surprised that you haven't tried it yourself. You've been in the community longer than many of us, and have a pretty large collection of devices it seems. Not trying to be sarcastic at all. Just figured you might try porting it yourself, for your use; and if it rocks you could always share it with us. Good luck! You can do it!!:good:
Click to expand...
Click to collapse
If it was an Xperia Play, it would have been ported in an instant.
Still learning quite a bit and have given it a few attempts.
So far, I can boot it up and everything else works fine, but can't get a signal.
I also don't have the same amount of free time I used to
Sent from my One using xda premium
I've got a couple builds of this here somewhere.
If I can find them and they run like I remember, maybe I will post one up.
I just recall building it and thinking, this sure is pretty vanilla for PA.
In other words, it's pretty basic stock Kitkat right now, with very few extras.
But like I said, if I can find it and it runs like I remember, maybe I will post it up, or maybe it's time I make a fresh build.
Will have to see what kind of time I have...lot going on right now or I would say I will post for sure.
I've also got an IOAP build I was considering posting if there is interest in such a thing...
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
santod040 said:
I've got a couple builds of this here somewhere.
If I can find them and they run like I remember, maybe I will post one up.
I just recall building it and thinking, this sure is pretty vanilla for PA.
In other words, it's pretty basic stock Kitkat right now, with very few extras.
But like I said, if I can find it and it runs like I remember, maybe I will post it up, or maybe it's time I make a fresh build.
Will have to see what kind of time I have...lot going on right now or I would say I will post for sure.
I've also got an IOAP build I was considering posting if there is interest in such a thing..
Click to expand...
Click to collapse
Count me in as interested! That UI looks cool. If you need anyone to test for you, count me in. I know you have alot going on, so if I can help, let me know.
xRogerxC said:
Count me in as interested! That UI looks cool. If you need anyone to test for you, count me in. I know you have alot going on, so if I can help, let me know.
Click to expand...
Click to collapse
That's already being taken care of.
Sent from my HTC6500LVW using Tapatalk

VZW Update? (Screenshots)

Hey guys, it looks like Verizon is rolling out an update. I clicked to see what was inside but it took me to a broken link. Does anyone know anything about this?
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Mine is installed and upgrading android and optimizing apps.... I will know soon!
teegunn said:
Mine is installed and upgrading android and optimizing apps.... I will know soon!
Click to expand...
Click to collapse
I bit the bullet. This is what I got.
Yeah mine is the same. Can't tell any differences so far. The link for what the update contains was broken, so I have no details. I am sure they will be posted here soon enough though.
Mine just completed. Odd, they updated the kernel with a date of 9/8 but did not push the Sept security patch.
Double post...
I can't find this anywhere... N950usqu1aqi5
sebastianraven said:
I can't find this anywhere... N950usqu1aqi5
Click to expand...
Click to collapse
Cool blog... http://www.theandroidsoul.com/veriz...ts-first-ota-update-with-build-n950usqu1aqi5/
It would be cool if who ever wrote it at least give me credit for my screenshots.
sebastianraven said:
Cool blog... http://www.theandroidsoul.com/veriz...ts-first-ota-update-with-build-n950usqu1aqi5/
It would be cool if who ever wrote it at least give me credit for my screenshots.
Click to expand...
Click to collapse
Yup, they used mine as well with no credit either. Boo
Edit: I commented on that Blog
Thanks to you two for that then lol. Can't stand people that pick others stuff and post it taking credit. But anyway thanks for the help... I had no idea what the update was for and just clicked it in a half sleep this morning.
I was reading about that bluebourne vulnerability so glad they covered that. Anyone know who runs that blog?
CtrlZThis said:
Thanks to you two for that then lol. Can't stand people that pick others stuff and post it taking credit. But anyway thanks for the help... I had no idea what the update was for and just clicked it in a half sleep this morning.
I was reading about that bluebourne vulnerability so glad they covered that. Anyone know who runs that blog?
Click to expand...
Click to collapse
The article author's email address is at the end of the article. I don't know that he runs the blog, but someone keeps deleting my comments. The vulnerability IS NOT FIXED by this update. Armis' vulnerability scanner indicates that my updated Note 8 is still vulnerable.
EDIT: A post to a VZW update thread on Reddit suggests that the Armis app may be providing a false positive. I've emailed Armis with a request for verification and will followup if/when they reply.
CtrlZThis said:
Thanks to you two for that then lol. Can't stand people that pick others stuff and post it taking credit. But anyway thanks for the help... I had no idea what the update was for and just clicked it in a half sleep this morning.
I was reading about that bluebourne vulnerability so glad they covered that. Anyone know who runs that blog?
Click to expand...
Click to collapse
No idea. Someone cool obviously.
The link worked for me. Says it update the swipe on the keyboard and better gps in nav apps.
Dodge DeBoulet said:
The article author's email address is at the end of the article. I don't know that he runs the blog, but someone keeps deleting my comments. The vulnerability IS NOT FIXED by this update. Armis' vulnerability scanner indicates that my updated Note 8 is still vulnerable.
EDIT: A post to a VZW update thread on Reddit suggests that the Armis app may be providing a false positive. I've emailed Armis with a request for verification and will followup if/when they reply.
Click to expand...
Click to collapse
UPDATE: Version 1.04 of Armis' app now correctly reports that VZW Note 8s have been patched to eliminate the vulnerability.
Mike02z said:
Mine just completed. Odd, they updated the kernel with a date of 9/8 but did not push the Sept security patch.
Click to expand...
Click to collapse
Hey what theme is that?
Well, I was prompted to install this update on my "SM-N950F/DS" (international variant), and maybe the update you're getting includes some of these changes?
I noticed that I can't see the device maintenance option anymore. I was trying to look to see my free ram available
Any way to know if this could effect a potential root exploit or not? I'm always leery of taking updates when I first get a phone that hasn't achieved root yet. Is it safe to install?
PsiPhiDan said:
Any way to know if this could effect a potential root exploit or not? I'm always leery of taking updates when I first get a phone that hasn't achieved root yet. Is it safe to install?
Click to expand...
Click to collapse
This is why I always hold off on every update. Seems as if people are still finding what this update was all about.
Blueborne update, as far as I know

General Paranoid Android might be coming to the P6 / Pro

https://twitter.com/i/web/status/1453843673901379586
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
That would be awesome...the kitchen is starting to heat up!
galaxys said:
That would be awesome...the kitchen is starting to hear up!
Click to expand...
Click to collapse
Damn that would almost tempt me to root again. But not for Pay and banking. We need a phone that is shipped with the bootloader unlocked and rooted. Then if you try to lock it or unroot you get a warning that your apps won't work now. Then you wake up.
bobby janow said:
Damn that would almost tempt me to root again. But not for Pay and banking. We need a phone that is shipped with the bootloader unlocked and rooted. Then if you try to lock it or unroot you get a warning that your apps won't work now. Then you wake up.
Click to expand...
Click to collapse
We're all in the Matrix and in real life our phones are all rooted - that's how we got put in the Matrix to begin with.
Oh paranoid android will come to our device alright! It just won't be supported for more than like an update like always. Everytime I switch to PA they abandon it. Funniest part is they usually JUST released it to. Extremely hard pass from me, but don't let ME stop you. Just don't tell me I didn't warn you when they cease development very quickly.
Gytole said:
Everytime I switch to PA they abandon it. Funniest part is they usually JUST released it to. Extremely hard pass from me, but don't let ME stop you. Just don't tell me I didn't warn you when they cease development very quickly.
Click to expand...
Click to collapse
Are you paranoid... android?
Sorry, couldn't resist, just a joke.
Gytole said:
Oh paranoid android will come to our device alright! It just won't be supported for more than like an update like always. Everytime I switch to PA they abandon it. Funniest part is they usually JUST released it to. Extremely hard pass from me, but don't let ME stop you. Just don't tell me I didn't warn you when they cease development very quickly.
Click to expand...
Click to collapse
Lmao you're right though I'm not falling for the hype anymore. It seems they just do it for likes , shares and donations cuz for the like the last few years they'll announced a new version when the next Android os drops then after a build or 2 they go missing again for a whole year or 2 and leave us in the dust I'm good!
yeah i stayed away as its not guaranteed to be updated all the time
my go to custom ROMs are AOSIP or Havoc but neither are developing for P6 I think. But Proton does look like it could be good also.
Agree with the commenters here; Paranoid Android is no longer reputable (and hasn't been in many years). ProtonAOSP, Lineage, AOSIP, and a bunch of other mainstream ROMs will officially support the P6 so it is absolutely not worth messing with PA.
I'd like to add "but" the more developers working on the P6P the better for everyone, even if one group's stuff isn't up to snuff. At least, as long as they share information when appropriate, which the best developers do, in my opinion.
roirraW edor ehT said:
I'd like to add "but" the more developers working on the P6P the better for everyone, even if one group's stuff isn't up to snuff. At least, as long as they share information when appropriate, which the best developers do, in my opinion.
Click to expand...
Click to collapse
Yeah, development on the P5 was severely lacking but on the P6 and the P6P many more people have it in their hands. Unfortunately, I don't root any longer but I like to see the tweaks and new stuff the devs come up with. (I actually rooted my P5 and loaded a rom before rolling it back before I sent it in for trade-in) Specifically kernel tweaks which are usually drastically needed. Nonetheless, it's a good start as you say.

Categories

Resources