Can we use CVE-2019-2215 exploit to gain root?
The bug: https://bugs.chromium.org/p/project-zero/issues/detail?id=1942
POC code (probably could be used for root at least? I think unlocking is writing out a bit to a partition...so...): https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=414885
Here is a list of Phones affected by the hack.
A “non-exhaustive list” of vulnerable phones include:
Pixel 1
Pixel 1 XL
Pixel 2
Pixel 2 XL
Huawei P20
Xiaomi Redmi 5A
Xiaomi Redmi Note 5
Xiaomi A1
Oppo A3
Moto Z3
Oreo LG phones
Samsung S7
Samsung S8
Samsung S9
Google stated its being patched in October security patch and also google stated its being exploited by a malicious actors so I'm happy its getting patched personally
This is October... and so many people probably haven't updated yet. You misunderstand the implication - those of us with Verizon phones could use this, theoretically, to unlock and install a custom rom.
I would love to have a way of using this for a root, even a temp root.
This guy already built it:
https://forum.xda-developers.com/ga...ted-zero-day-exploitcve-t3978059#post80441545
On my pixel it locks up, systemui crashes, and the phone reboots...
Ok so looking into this I need some specific addresses to make this work...
If any of you have a rooted Pixel XL running kernel 3.18.131-ga2426c4f8f23 could you please pastebin the output of cat /proc/kallsyms for me as root?
adb shell
su (approve on the phone screen)
cat /proc/kallsyms > /sdcard/syms.txt
Then take syms.txt and put it on pastebin.
what month kernel build and should it be 8.1,9.0 or doesnt matter,sean
check this out pixel 2 xl forum
Did i miss something? Hasn't the Pixel Xl been able to unlock the bootloader since 2018, or did it get patch?
Yep. Verizon pixel 2 running 10, exploited and rooted. Never been rooted before. It was not too difficult but id imagine there isnt much time to do it. I will write a post up as soon as i get a moment.
bought pixel 2 xl today waiting for you to post exploit.I know don't update phone!?
peachypickle said:
Yep. Verizon pixel 2 running 10, exploited and rooted. Never been rooted before. It was not too difficult but id imagine there isnt much time to do it. I will write a post up as soon as i get a moment.
Click to expand...
Click to collapse
Please do write it up there are many waiting like me:highfive:
I acquired pixel 2 would anyone know process of how to flash poc zip to gain root.I don't know how to utilize zip or process to go about it,sean
@peachypickle any update?
I still did not update to Android 10.
I was going to try the POC, but "chmod +x" is not working, I tried via Termux and ADB Shell, it did not work.
I also tried to use Total Commander file manager to give execution permission, but it also didn't work.
How can I give execution permission to the POC?
arthurfragoso said:
I still did not update to Android 10.
I was going to try the POC, but "chmod +x" is not working, I tried via Termux and ADB Shell, it did not work.
I also tried to use Total Commander file manager to give execution permission, but it also didn't work.
How can I give execution permission to the POC?
Click to expand...
Click to collapse
U have to move it to termux $HOME path first
Is there any manual how to use this vulnerability and is there a user-ready exploit ?
Thanks
Related
I Finally Got Temporary Root On The AT&T Samsung Galaxy Note 4 (and yes it is SuperSU, bit it does require KingRoot)
I Did It
can you post the software info page with the build for verification of which device it's on?
Like you want the build number?
BTW here is how to do it
https://youtu.be/Xr_2LQimK9I
This is temporary root which means that once you reboot you're going to lose root... Sadly not much new...
Sent from my SAMSUNG-SM-N910A using Tapatalk
Meh, I know but it's better than nothing
Well if this is true it is new because it's on 5.1.1 and not 4.4.4. Going to give it a shot...
So I've tried twice now to root using Kingroot 4.8.0 on Android 5.1.1 and twice my phone has rebooted at the very end when I was trying to download SuperSUMe from the Playstore (did look like root was successful). Might have better luck if I factory reset my phone, but I'm not that interested in getting root.
I can verify that this indeed does provide a temp root on at&t note 4 v5.1.1
BUT! It causes the system to slow down and lag alot and the keyboard no longer works untill the phone is rebooted and when you reboot the samsung startup screen shows a padlock that says custom. So the guys at kingoroot have manged to find a small crack but it is to unstable to use at this time.
I did test out the root permissions on a few apps
1: es file explorer. (I was able to set rw permissions and move files from the internal to ext sd card and see root folders and files in the system)
2: lucky patcher (it was able to gain root and modify installed packages on the fly)
3: es task manager (i was able to acess the root features but changes did not stick)
My hope is maybe someone can learn from this and make the temp root more stable even if temporary (i kinda doubt it since gaining temp root seems to freak the system out causing glitches and stutters)
I obtain temporary root indeed the only I could achieve is, wipe bloatware and change font lol.... So far so good
Well remember, with Samsung changing the system on Android 5.1.1 now requiring a custom kernel to root one of their devices and knowing that AT&T locked the bootloader, this is the best we can get as of right now. Give the developers of KingRoot time because they have tried to root the note 4 without needing a custom kernel. I know it doesn't seem like a lot but give them time. We have wait this much for root. Why not wait a little bit longer for the root to stabilize?
Btw guys I rooted my note 4 on KingRoot v4.8.1, they haven't released this version on their website yet
And supersume pro probably won't work on this
I use the terminal emulator and a root script
DAKILLER29 said:
Well remember, with Samsung changing the system on Android 5.1.1 now requiring a custom kernel to root one of their devices and knowing that AT&T locked the bootloader, this is the best we can get as of right now. Give the developers of KingRoot time because they have tried to root the note 4 without needing a custom kernel. I know it doesn't seem like a lot but give them time. We have wait this much for root. Why not wait a little bit longer for the root to stabilize?
Click to expand...
Click to collapse
There is a bounty regarding it, if they achieve completely root, 8,000 dollars are waiting for anyone achieving it
4.8.1 does stabalize things a little but i can guarantee just aboit that they are using a hole in the stock keyboard to obtain temp root i am going to experiment with non stock keyboards and see what happens from there. I also noticed that the phone gets hot when rooted
Does this temporary root allow the 910A to act as a wifi hotspot?
I was just about to list my Note 4 on Swappa. I can get by without root most of the time but when I need a hotspot, I really need it so I'm back on my Z2 for the moment.
terryowen said:
Does this temporary root allow the 910A to act as a wifi hotspot?
I was just about to list my Note 4 on Swappa. I can get by without root most of the time but when I need a hotspot, I really need it so I'm back on my Z2 for the moment.
Click to expand...
Click to collapse
At the moment NO temp root is not stable enough to reliably run long enough to enable and keep enabled wifi hotspot unless your carrier has opened that option. Lucky for me wifi teathering is included in my plan with at&t
Any way to run Xposed with this?
So is it available for download somewhere? Or will it be soon?
terryowen said:
Does this temporary root allow the 910A to act as a wifi hotspot?
I was just about to list my Note 4 on Swappa. I can get by without root most of the time but when I need a hotspot, I really need it so I'm back on my Z2 for the moment.
Click to expand...
Click to collapse
After delete all the bloatware it allow me to use Hotspot without need foxfi but I'm in Verizon so I couldn't tell you if it applies the same in at&t but I'm sure one of the program installed is the one that blocks or prevents Hotspot to work properly
I used Kingroot 4.8.1 (after you install 4.8.0 and open the app it tells you to update it) on my N910A and it got to 25% and failed? Happened a few times
Will I be able to edit build.prop on a Verizon Pixel without root? Do I need to first flash TWRP recovery and then use adb shell to update build.prop? Afterwards, change file permission and flash the stock recovery? If this is correct, will this have any impact on safety net or future OTAs? Will my edits be overwritten by and OTAs?
Other than rooting, I'm assuming there's no (easier) way to accomplish the wifi tether check on this phone. I don't want to use the hack of using another app either (eg, flips the network then enable hotspot). I want to enjoy my pixel as stock without any further hacks. Otherwise, Verizon can keep their pixel.
Update:
Well, just remembered the Verizon Pixel boot loader is locked. I don't want to unlock it. Does this mean I can't flash recovery to accomplish the above? God, I'm so close to just saying f*ck it. I hate verizon.
My guess is once TWRP is released for pixel, you will need to flash a custom kernel to keep the build prop edit from reverting on boot. That is what I did for my N6 on 7.0. Just have to wait for TWRP to find out.
You do have to be rooted to edit your build.prop. You definitely will not receive OTAs once rooted, I believe it's been like this since Android 6.0. Even with stock recovery you can't get OTAs if you're rooted.
Edit...You still have to unlock the bootloader on a GS version in order to flash twrp.
Sent from my Pixel XL using XDA-Developers mobile app
Well, I found the Pixel XL at a local Verizon store----but, currently I have the Pixel (from Google). This hassle isn't worth it just for a bigger screen...plus, Verizon pixel only has 32 GB compared to my Google pixel with 128GB. This is the first android where I don't want to root----the phone and OS are that good now.
So, guess I'll cancel the Verizon pixel today. Was just hoping there'd be an easy way to "undo" the red devil's changes to Google's phone. Oh well.
Is there a how to on rooting the pixel 2 xl for Google fi yet? Also a how to on enabling the built in call recording function? Thanks
This might depend on whether you bought from Google or Verizon (edit: just noticed you said Project Fi 2 XL). I've heard Verizon locks down the bootloader.
But even if your bootloader is unlockable, I think it still takes some time. The most important part is to have a recovery image that you can install on your phone to allow you to install anything from the menu. The developers of TWRP (or your preferred recovery) have to build that for the phone. I'm not sure if it's the case, but they may need access to the required open source bits to build it (like kernel source), and usually that's released shortly after the phone is.
After that, I think you can just install your SU apk of choice, unless they need to customize that on a per-phone basis as well.
I remember reading a long time ago, there is a file you change from a 0 to 1 in google that turns on the native call recording feature. I've got my phone unlocked now. I can't remember if it requires root or not to enable that simple feature. Does anyone here know? If so, where is that file and variable I have to edit? Thanks
Right now we cannot root yet, because of 2 reasons. If either of these were not the case we'd be able to root
1) Google has not released factory images for these phones yet. When they do, we will be able to root our phones without a custom recovery using the newest version of Magisk.
2) There is no custom recovery for our phones yet. When this is available, we can flash either SuperSU or Magisk in recovery to root.
Both rooting options above would require an unlocked bootloader of course.
ElementalWindX said:
I remember reading a long time ago, there is a file you change from a 0 to 1 in google that turns on the native call recording feature. I've got my phone unlocked now. I can't remember if it requires root or not to enable that simple feature. Does anyone here know? If so, where is that file and variable I have to edit? Thanks
Click to expand...
Click to collapse
Maybe a build.prop feature? If so, yes, that would require root, or custom recovery (you could technically modify this file in recovery without rooting)
BUT, since rooting requires an unlocked boot loader AND unlocking wipes your device, might as well unlock as soon as you can.
The first thing I do when I get a new phone is unlocked bootloader, then it can Rock!
I thought the newer versions of SuperSU can be applied from factory recovery.
Sent from my Pixel XL using Tapatalk
Colchiro said:
BUT, since rooting requires an unlocked boot loader AND unlocking wipes your device, might as well unlock as soon as you can.
Click to expand...
Click to collapse
Since my first Android phone (Motorola Atrix 4G) back in 2011, the first thing I do when I receive the phone is to unlock the bootloader. Then I wait for the root to arrive.
abuttino said:
I thought the newer versions of SuperSU can be applied from factory recovery.
Sent from my Pixel XL using Tapatalk
Click to expand...
Click to collapse
It can but that wasn't built for the Pixel 2 and you might brick it..
Well, that sucks. I hope that ChainFire will update SuperSU one or two more more times before he actually leaves.
I believe he's still consulting for now but, I hope he takes the ropes of the last phones of 2017.
Sent from my Pixel XL using Tapatalk
https://www.xda-developers.com/dirty-pipe-root-demo-samsung-galaxy-s22-google-pixel-6-pro/
March 15, 2022 7:40am Comment Skanda Hazarika
PSA: Dirty Pipe, the Linux kernel root vulnerability, can be abused on the Samsung Galaxy S22 and Google Pixel 6 Pro
What happens when a Linux privilege-escalation vulnerability that also affects Android gets disclosed publicly? You got it! Security researchers and Android enthusiasts around the world try to take advantage of the newly found problem to create an exploit, which can be used to gain advanced access to your device (such as root or the ability to flash custom images). On the other hand, device makers and a few determined third-party developers quickly take the responsibility to patch the backdoor as soon as possible.
This is exactly what happened to CVE-2022-0847, a vulnerability dubbed “Dirty Pipe” in Linux kernel version 5.8 and later. We talked about the exploit in detail last week but didn’t explicitly cover the potential abusing scenarios on Android. Now, XDA Member Fire30 has demonstrated an exploit implementation around the kernel flaw that can give the attacker a root shell on the Samsung Galaxy S22 and the Google Pixel 6 Pro.
The key point here is that you don’t need any kind of unlocking or other trickery to make it work – the Dirty Pipe exploit allows the attacker to gain root-level access on the target device through a reverse shell via a specially crafted rogue app. At the time of writing, flagships like the Google Pixel 6 Pro and the Samsung Galaxy S22 are vulnerable to the attack vector even on their latest software releases, which shows the exploit’s potential. Since it can also set SELinux to permissive, there is virtually no hurdle against unauthorized control over the device.
From the perspective of the Android modding scene, Dirty Pipe might be useful to gain temporary root access on otherwise difficult-to-root Android smartphones, e.g., some regional Snapdragon variants of the Samsung Galaxy flagships. However, the window won’t last long as the vulnerability has already been patched in the mainline Linux kernel, and OEMs will probably roll out the fix as part of the upcoming monthly security updates. Nonetheless, stay away from installing apps from random sources for the time being to protect yourself. In the meantime, we expect that Google will push an update to the Play Protect to prevent the vulnerability from being exploited via rogue apps.
Source: Fire30 on Twitter
Via: Mishaal Rahman
Click to expand...
Click to collapse
This isn't necessarily bad news if the exploit is used non-maliciously. Could be beneficial for Verizon customers looking for a way to gain root.
westhaking said:
This isn't necessarily bad news if the exploit is used non-maliciously. Could be beneficial for Verizon customers looking for a way to gain root.
Click to expand...
Click to collapse
Could, yes. I'll remain pessimistic that it'll actually happen, and of course, it'll take someone willing to actually do the work. A very limited time to do it doesn't help unless someone with a spare Verizon device keeps it off the network/internet until something is implemented.
westhaking said:
This isn't necessarily bad news if the exploit is used non-maliciously. Could be beneficial for Verizon customers looking for a way to gain root.
Click to expand...
Click to collapse
I was just reading about this & that exact thought came to mind. The root access gained seems to be temporary, but if you can write to usually read only file system, could you not theoretically write a Magisk boot image (using dd, or in Magisk Manager itself?) or even toggle the OEM unlock switch via a SU shell command unlock the phone?
I'm not very well versed on how the mechanics behind OEM unlock switch in developer settings works & or how Verizon locks these phones down (UK based), but I would assume that it could be useful to help find a exploit for phones running any pre-April 22 update.
Edit: from my limited knowledge, can you not sideload a earlier OTA on Verizon devices? I know you could do so with Pixel 3 and earlier, but I haven't been following it too closely with later devices.
DanielF50 said:
or even toggle the OEM unlock switch via a SU shell command unlock the phone?
Click to expand...
Click to collapse
I've never heard of a shell command that could toggle the OEM unlock. That doesn't mean it hasn't existed, but I doubt it, otherwise, I would think on all the Verizon devices I used to have, and just root threads in general I should remember anyone making the suggestion, even if it required temporary root first.
DanielF50 said:
Edit: from my limited knowledge, can you not sideload a earlier OTA on Verizon devices? I know you could do so with Pixel 3 and earlier, but I haven't been following it too closely with later devices.
Click to expand...
Click to collapse
I was under the impression that all phones with the bootloader locked that you could never, ever downgrade via any method. Also, OTAs generally use deltas/differencing to patch known good files of version A to version B, and B to C, so applying a version B OTA to a device that's on version C would fail because the files on the device are the wrong version.
Like (let version A be represented with the value 1, B with 4, and C with 9):
Device is on version B, so "4".
OTA to go from B to C comes.
OTA says is device file "4"?
Yes! Add 5 to the file, it's now "9".
and then
Device is on version C, so "9".
Try to put the B to C OTA on the device.
OTA says is device file "4"?
No! It's "9", quit OTA process.
This might be simplified, and anyone correct me if I'm wrong, but this has definitely been the case some and I believe almost all, if not all, the time. The OTA files can be smaller that way because they don't contain replacement files. They only contain what the difference is between the old file and the new, which is usually much smaller than the entire file.
I've held on to my old Note 9 for the last 3 years to use the native mobile hotspot with my GF data on Verizon.
I picked up an unlocked Pixel 6 Pro yesterday. Tried using the mobile hotspot and getting the attached popup when trying to use out of the box.
Is this something that can be bypassed/used simply by rooting?
There is an app on the playstore called "NetShare" - basically it pulls your data and it allows you to use it as a hotspot. Read the instructions and setup the proxy settings before you can use it.
You should be able to solve the problem by rooting and using the correct modification, which may or may not be available as a Magisk Module - however, I haven't been on Verizon in five years, so I only vaguely know what others have said more recently, which I've read, and which generally matched how it's always been on Verizon.
unboostedzc said:
Is this something that can be bypassed/used simply by rooting?
Click to expand...
Click to collapse
Yes, there is a magisk module for tethering. It works very well, thought I haven't seemed to need it after dumping my pixel 4xl for the 6 pro. https://github.com/evdenis/tether_unblock
Another bypass is if you have a VPN account with someone. You turn it on in conjunction with the app VPN hotspot. Through the app, you can bypass the tethering provision of Verizon
I'm currently using VPN hotspot with a VPN provider and it's working great. Does anyone know if the magisk module posted above is a better no hassle solution?
murphyjasonc said:
I'm currently using VPN hotspot with a VPN provider and it's working great. Does anyone know if the magisk module posted above is a better no hassle solution?
Click to expand...
Click to collapse
Usually, root solutions (like the Magisk Module) are more seamless in my experience, but if that's the only reason you would root the phone, you may want to consider not doing so.
I root my phone, but I root my phone for a lot of root modifications.
roirraW edor ehT said:
Usually, root solutions (like the Magisk Module) are more seamless in my experience, but if that's the only reason you would root the phone, you may want to consider not doing so.
I root my phone, but I root my phone for a lot of root modifications.
Click to expand...
Click to collapse
I'm rooted but haven't tried this module. I'm going to give it a go. Thanks!
Awesome, thanks everyone. I'll go ahead and root this weekend via Magsik and see how it goes.
Working SafetyNet with Pixel 6 Pro Android 12
This is no longer using an Unofficial Magisk app, it's the official Canary and USNF 2.2.0 1. Download the latest Magisk Canary build 2. Patch the boot.img from the Factory Images in Magisk, you'll also need the vbmeta.img if you aren't already...
forum.xda-developers.com
I had posted in this thread tethering. I am on the original grandfathered unlimited internet plan still and don't want to change anything
for reference, this is what I did
Root your phone with magisk.
Install the Magiskhide Props Config module
Use some app that let's you have access to terminal
Type "su" for superuser rights, then type "props" to access configuring the module.
Enter 5, Add/edit custom props
Enter n, New custom prop
Enter net.tethering.noprovisioning
Enter true
Enter 2, post-fs-data
Enter y
Enter y to reboot
viper8u2 said:
Working SafetyNet with Pixel 6 Pro Android 12
This is no longer using an Unofficial Magisk app, it's the official Canary and USNF 2.2.0 1. Download the latest Magisk Canary build 2. Patch the boot.img from the Factory Images in Magisk, you'll also need the vbmeta.img if you aren't already...
forum.xda-developers.com
I had posted in this thread tethering. I am on the original grandfathered unlimited internet plan still and don't want to change anything
for reference, this is what I did
Root your phone with magisk.
Install the Magiskhide Props Config module
Use some app that let's you have access to terminal
Type "su" for superuser rights, then type "props" to access configuring the module.
Enter 5, Add/edit custom props
Enter n, New custom prop
Enter net.tethering.noprovisioning
Enter true
Enter 2, post-fs-data
Enter y
Enter y to reboot
Click to expand...
Click to collapse
This worked perfectly, thanks!
Do I need to keep MagiskHide Props Config active once I've completed the above and tethering is working? I've got this, as well as Universal SafetyNet Fix currently active in my Modules
unboostedzc said:
This worked perfectly, thanks!
Do I need to keep MagiskHide Props Config active once I've completed the above and tethering is working? I've got this, as well as Universal SafetyNet Fix currently active in my Modules
Click to expand...
Click to collapse
Yes, keep that.
roirraW edor ehT said:
Yes, keep that.
Click to expand...
Click to collapse
Hi,
Would this work on a free pixel 6 deal provided by Verizon?
Is there any other cheaper ways to get unlimited hotspot to your knowledge.
Many Thanks
noah1996 said:
Hi,
Would this work on a free pixel 6 deal provided by Verizon?
Is there any other cheaper ways to get unlimited hotspot to your knowledge.
Many Thanks
Click to expand...
Click to collapse
No. This requires an unlocked bootloader and root. Verizon variants are locked down and will continue to be for the foreseeable future. They cannot be bootloader unlocked.
Hi,
appreciate the help.
Which models of the pixel 6 are unlocked?
noah1996 said:
Hi,
appreciate the help.
Which models of the pixel 6 are unlocked?
Click to expand...
Click to collapse
The Factory Unlocked Pixels from the Google Store are the only ones you can no questions asked unlock the bootloader. Note that "Unlocked" means carrier unlocked, which is different from bootloader unlock, but with the Factor Carrier-Unlocked Pixel from the Google Store, you can unlock the bootloader any time you want.
I don't know about AT&T, but T-Mobile variants can be bootloader unlocked once you pay off the phone.
Also, note that Verizon phones are usually Carrier Unlocked, but nothing will ever allow you to unlock the bootloader on a Verizon phone.
unboostedzc said:
I've held on to my old Note 9 for the last 3 years to use the native mobile hotspot with my GF data on Verizon.
I picked up an unlocked Pixel 6 Pro yesterday. Tried using the mobile hotspot and getting the attached popup when trying to use out of the box.
Is this something that can be bypassed/used simply by rooting?
Click to expand...
Click to collapse
i am also on verizon and out of the box no mods hotspot works fine and my device is unlocked
I just went through this problem with my Motorola with a GFDP. I needed to unlock the boot loader, root the device and install an app off github granting it root privs. It was painless. You still get the subscription pop up, but when using the app to turn on the hotspot, it bypasses the native hotspot enable/disable https://github.com/Mygod/VPNHotspot
Hi I'm trying to figure out how to have unlimited Verizon hotspot. Do you have any tips to share such as do you know if this method works for any unnbootlocked Android phone.
Many thanks
noah1996 said:
Hi I'm trying to figure out how to have unlimited Verizon hotspot. Do you have any tips to share such as do you know if this method works for any unnbootlocked Android phone.
Many thanks
Click to expand...
Click to collapse
I think it does work for all android phones. I don't have the pixel 6 though. For my motorola I unlocked, rooted and then used vpnhotspot apk from github. Grant it root and then enable the hotspot through it to bypass the block.