Related
This thread is intended for the Droid Turbo 2. For the lucky Moto X Force owners, this thread shouldn't apply to you.
I think there are some brilliant minds lurking on this forum and I'm hoping there could be some research done to "encourage" the possibility of attaining root and boot loader access on our Droid Turbo 2 Devices.
My approach here is to establish a collection of "Zero Day Bugs". Security flaws found in our devices that would put our OS as risk. As far as I can tell, Google keeps a record database and the media likes to talk about zero-day discoveries. Of course these bugs need to be timely so zero-day flaws found in 2014 or early 2015 likely were patched with the launch of the DT2.
For example, below is a link to a Zero-Day exploit that elevates the privileges of an app. Can something like this be used? Who has the technical expertise to replicate such an exploit? This thread is to talk about these things.
http://perception-point.io/2016/01/...f-a-linux-kernel-vulnerability-cve-2016-0728/
Hopefully this will spur up some traction and help get us root and bootloader.
Exploit found for Turbo 2 that can grant root access
Given the widespread impact of this exploit, it is likely other device owners are going to try to implement this exploit as well. Please post here if you find any implementations for other devices as it may be usable for the Turbo 2.
It has been confirmed that Quadrooter can exploit the Turbo 2: http://www.zdnet.com/article/quadrooter-security-flaws-affect-over-900-million-android-phones/
Four vulnerabilities (CVE-2016-2059, CVE-2016-2504, CVE-2016-2503, CVE-2016-5340)
And just an FYI:
"ALLOW OEM UNLOCKING" DOES NOTHING ON THE DROID TURBO 2
Click to expand...
Click to collapse
windraver said:
This thread is intended for the Droid Turbo 2. For the lucky Moto X Force owners, this thread shouldn't apply to you.
I think there are some brilliant minds lurking on this forum and I'm hoping there could be some research done to "encourage" the possibility of attaining root and boot loader access on our Droid Turbo 2 Devices.
My approach here is to establish a collection of "Zero Day Bugs". Security flaws found in our devices that would put our OS as risk. As far as I can tell, Google keeps a record database and the media likes to talk about zero-day discoveries. Of course these bugs need to be timely so zero-day flaws found in 2014 or early 2015 likely were patched with the launch of the DT2.
For example, below is a link to a Zero-Day exploit that elevates the privileges of an app. Can something like this be used? Who has the technical expertise to replicate such an exploit? This thread is to talk about these things.
http://perception-point.io/2016/01/...f-a-linux-kernel-vulnerability-cve-2016-0728/
Hopefully this will spur up some traction and help get us root and bootloader.
Click to expand...
Click to collapse
Could be used on a Terminal Simulator and get the bootloader lock transistor to break safety.
But honestly, my first thought would be to force into QHSUSB_DLOAD and somehow inject all XT1580 stuff to get it recognized as such.
I have installed one-click root (I got it through another site, not from them) and it sometimes says failed to root, but other times, it goes through the process, says it's done and to reboot, but when rebooting it does not have root. I have tried running other apps, like King Root, or Root Genius, or half a dozen others to get it to root, after getting one-click to say it has rooted it. Not sure if this will help or not, and honestly, I'm to the point, I'm ready to give up and do something different. I WILL NEVER buy another Verizon phone, ever! I may not drop them as a carrier, but I wont be keeping their crappy locked junk.
brannonwj said:
rant
Click to expand...
Click to collapse
From what I understand, this thread is for brainstorming. Not ranting about how you didn't do your research.
not a rant
Techn0Luigi said:
From what I understand, this thread is for brainstorming. Not ranting about how you didn't do your research.
Click to expand...
Click to collapse
That wasn't a rant about how I didn't do any research. IT was a what I did that might lead to someone having an idea of how it might help.
Don't be a jerk.
mr_verystock said:
Could be used on a Terminal Simulator and get the bootloader lock transistor to break safety.
But honestly, my first thought would be to force into QHSUSB_DLOAD and somehow inject all XT1580 stuff to get it recognized as such.
Click to expand...
Click to collapse
Can you explain the QHSUSB_DLOAD more?
QHSUSB_DLOAD (Qualcomm High-Speed USB Download Mode)
Man... It's been a while. Haven't had fun with any of this.
The bootloader starts and checks everything. There are 3 stages of the bootloader. 1 starts TZ, 2 something else, by 3 everything is booted and then it loads fastboot. QHSUSB_DLOAD is baked into the hardware. If the bootloader file is missing (.sbn) or doesn't match magic key (.hex) then booting fails. Most of the stuff turn off except for the CPU (in this case, ARM Cortex A53 and A78) and communications (USB interface), and it is stuck at QHSUSB_DLOAD. From there, you can load anything raw into the phone. So you can bring over the partitions that is used to boot (so in this case, you may be able to bring over something that damages TZ transistor, thereby unlocking bootloader). What you bring over exactly for the bootloader unlock, it hasn't been discovered even with the original Moto X (2013). However, that's how root is done. Bring over the blocks of the OS that contains the root blocks, and the bootloader doesn't know a thing.
Bring over a valid .sbn and .hex file and forcing the phone CPU to reset would bring the phone back from the missing bootloader, and then fastboot loads, followed by the OS (if the Linux core is present, the boot sector there, but that's another topic).
They rooted the phone in China , they sell it rooted!! Here is the link
m.intl.taobao.com/detail/detail.html?id=521809261322&spm=0.0.0.0
mr_verystock said:
QHSUSB_DLOAD (Qualcomm High-Speed USB Download Mode)
Man... It's been a while. Haven't had fun with any of this.
The bootloader starts and checks everything. There are 3 stages of the bootloader. 1 starts TZ, 2 something else, by 3 everything is booted and then it loads fastboot. QHSUSB_DLOAD is baked into the hardware. If the bootloader file is missing (.sbn) or doesn't match magic key (.hex) then booting fails. Most of the stuff turn off except for the CPU (in this case, ARM Cortex A53 and A78) and communications (USB interface), and it is stuck at QHSUSB_DLOAD. From there, you can load anything raw into the phone. So you can bring over the partitions that is used to boot (so in this case, you may be able to bring over something that damages TZ transistor, thereby unlocking bootloader). What you bring over exactly for the bootloader unlock, it hasn't been discovered even with the original Moto X (2013). However, that's how root is done. Bring over the blocks of the OS that contains the root blocks, and the bootloader doesn't know a thing.
Bring over a valid .sbn and .hex file and forcing the phone CPU to reset would bring the phone back from the missing bootloader, and then fastboot loads, followed by the OS (if the Linux core is present, the boot sector there, but that's another topic).
Click to expand...
Click to collapse
I'd like to see a Verizon phone rooted. That is the version I have and most in the U.S. have as well.
Sent from my XT1585 using Tapatalk
I finally updated my Turbo 2, losing hope on a root exploit.
Then I read this.
http arstechnica dot com/security/2016/06/godless-apps-some-found-in-google-play-root-90-of-android-phones (sorry, longtime lurker, just registered, can't post links)
It might lead to nothing, but maybe for those who haven't updated an exploit can be found with the godless apps?
The godless app is a hack that steals your data. If it did work, (which from what I understand it only works on 5.1 and below) you'd risk your personal and financial data being stolen and sold.
Alaadragonfire said:
They rooted the phone in China , they sell it rooted!! Here is the link
m.intl.taobao.com/detail/detail.html?id=521809261322&spm=0.0.0.0
Click to expand...
Click to collapse
Any luck in contacting the seller on how it is rooted?
I'm sure they use stolen Lenovo/Motorola factory development "engineering" software which unlocks the bootloader. It's the same phone as the Moto X Force but with locked down bootloader.
There were similar Droid Turbo phones being sold with unlocked bootloader a year ago in China, months before the Sunshine exploit was found.
gizzardgulpe said:
I finally updated my Turbo 2, losing hope on a root exploit.
Then I read this.
http arstechnica dot com/security/2016/06/godless-apps-some-found-in-google-play-root-90-of-android-phones (sorry, longtime lurker, just registered, can't post links)
It might lead to nothing, but maybe for those who haven't updated an exploit can be found with the godless apps?
Click to expand...
Click to collapse
I dont have my dt2 but link to one of the apps in case someone wants to try
https://apkpure.com/summer-flashlight/com.foresight.free.flashlight?hl=en
I'm usually just lurking here and grab Roms and exploits when they pop up, but I have something to add. Has anyone unlocked the developer settings? There's a toggle named 'oem unlocking' with a subtext of 'allow the bootloader to be unlocked'. Does this mean the bootloader can be unlocked? Last Verizon phone I had was a g3 and only way to gain a faux unlock was to use 'bump' to install twrp. Could this be possible with the turbo 2? I'm not a coder or anything, but just trying to add to the think tank here
This setting does nothing.
damkol said:
This setting does nothing.
Click to expand...
Click to collapse
There really should be a sticky saying "ALLOW OEM UNLOCKING DOES NOTHING ON THE DT2"
Droid turbo 2
After spending countless hours trying to unlock my bootloader to root my phone I'm at an impasse I've been told the Verizon and at&t models arnt able to be unlocked I will keep trying to get around this to root and install custom roms if anyone has any tips
Rhydenallnight said:
After spending countless hours trying to unlock my bootloader to root my phone I'm at an impasse I've been told the Verizon and at&t models arnt able to be unlocked I will keep trying to get around this to root and install custom roms if anyone has any tips
Click to expand...
Click to collapse
Crack the case, hook up some leads (microscope) and dump the memory for the boot loader is the only thing I can think of. Don't know if the that is even possible with that memory. It's probably integrated with other stuff.
Sent from my XT1585 using Tapatalk
Update: Oh yeah, it's encrypted. Guess that won't work.
Found something. Does anyone know if this vulnerability exists on the Droid Turbo 2?
CVE-2015-1805
http://www.computerworld.com/articl...itical-android-root-vulnerability-itbwcw.html
There is a proof of concept out there. Has anyone tried it?
https://github.com/dosomder/iovyroot
Hi,
My wife HTC m9(UK, Vodaphone, latest stock ROM, No root) was turned off last night to charge.
When booted up it does the below. It does not load into the OS. Every boot loops into the below.
https://drive.google.com/file/d/0B8n21CQX7535cjF4MnZqV2E1dGM/view?usp=sharing
It says the software has been modified?
My wife was very insistent that I never root or change ROMS on her phone.
Does anyone have a fix or is this send off for replacement?
Any advice would be greatly appreciated.
Thanks
Ca1v
ca1v said:
Hi,
My wife HTC m9(UK, Vodaphone, latest stock ROM, No root) was turned off last night to charge.
When booted up it does the below. It does not load into the OS. Every boot loops into the below.
https://drive.google.com/file/d/0B8n21CQX7535cjF4MnZqV2E1dGM/view?usp=sharing
It says the software has been modified?
My wife was very insistent that I never root or change ROMS on her phone.
Does anyone have a fix or is this send off for replacement?
Any advice would be greatly appreciated.
Thanks
Ca1v
Click to expand...
Click to collapse
What happens if you try to boot to Download Mode? I guess you see the black screen that is mentioned in Q7, right? If that's the case there isn't much you can do...
Download mode seems to be working (https://drive.google.com/file/d/0B8n21CQX7535cEFhTlpnajF5anM/view?usp=sharing)
If this is the case, can you point me in the right direction to get resolved?
Many thanks for the help
Flippy498 said:
What happens if you try to boot to Download Mode? I guess you see the black screen that is mentioned in Q7, right? If that's the case there isn't much you can do...
Click to expand...
Click to collapse
Download mode seems to be working (https://drive.google.com/file/d/0B8n...ew?usp=sharing)
If this is the case, can you point me in the right direction to get resolved?
Many thanks for the help
Interesting. Your video in post 1 shows a security warning. That means that the OS got deleted. This is only possible if you unlock the bootloader and delete it manually via TWRP or if the EMMC gets broken. Since the phone's S-ON and its bootloader is locked and not unlocked or relocked I assumed that the latter happened*.
As long as the download mode is working you can restore the system with the help of a RUU. Instructions can be found in the thread I linked in my last post. Be aware that all data on the phone is going to get erased.
* Well, it is possible to get the phone's status back to S-ON and locked with S-OFF but you said you never tinkered with that phone...
Flippy498 said:
Interesting. Your video in post 1 shows a security warning. That means that the OS got deleted. This is only possible if you unlock the bootloader and delete it manually via TWRP or if the EMMC gets broken. Since the phone's S-ON and its bootloader is locked and not unlocked or relocked I assumed that the latter happened*.
As long as the download mode is working you can restore the system with the help of a RUU. Instructions can be found in the thread I linked in my last post. Be aware that all data on the phone is going to get erased.
* Well, it is possible to get the phone's status back to S-ON and locked with S-OFF but you said you never tinkered with that phone...
Click to expand...
Click to collapse
Just thought I'd bring to your attention that apps are now being written that will try to obtain root without you knowing. The reason is that they can steal any information they want and sell it to corporations for as little as 4 pence/6c a record.
It is possible that it is a failed root by an app.
"I'm safe, I only download my apps from google playstore" - nope, you're not.
"I only use signed apps and the checksum is always correct" - nope, checksum can be matched with padding.
"I only use external sources to update genuine apps" - nope, see the Google playstore comment above.
"I have all my security and privacy set to super strict, I have my apps verified by google" - nope, still not secure because alerts are only written when the malicious/bad code is found.
Be warned, my fellow xda'ers. There is a whole new breed of security breach and it is terminal to root as a whole. Apps like kingoroot etc are issuing the wrong type of people with the wrong type of information and they are using it for the wrong purposes.
Google will stuggle to put a lid on these types of apps because they attack the hardware for access to software (a simple memory buffer overflow attack), inject a few lines of code and you're in, permanently. It will eventually result in a total lockdown at the manufacturer and bye bye root access, roms, mods etc, you'll get what you're given.
How do we prevent this?. We don't and we can't. We just have to sit back and watch as the world takes our privacy while bricking our devices one by one just to "try" to earn a poxy 4p.
Beamed in by telepathy.
@shivadow: I'm actually not sure what you're trying to achieve with your post. Malicious apps that can root your device without letting the user know about that exist since several years now. (Click here for a random example from 2011) Smartphones aren't completely safe and they never were. Everyone who's claiming the opposite either doesn't know what he/she is talking about or is simply lying.
To name just a few more android security flaws/exploits that emerged in the past: rageagainstthecage, gingerbreak, heartbleed, stagefright, the master key vulnerability, the futex bug, rootnik...
All of these have more or less been used for manipulating android phones. There is no absolute security. Android is still as secure/insecure as it's always been.
In addition, several OEMs are already trying to prevent their customers from rooting their phones since several years. Samsung's KNOX is a perfect example. (I don't want to discuss whether they're successful. That's a whole different topic.)
But let's get back to the deleted OS of the OP's phone: I've never heard about failed root attempts that erase a complete system partition. Therefore, I highly doubt that a malicious app caused all the trouble. Failed root attempts may cause a bootloop but they don't wipe your phone. Just think about the following: How should the dev of such app gain money if the app deletes OSes? Without OS there is no information you can steel and if you have no information you could sell/abuse/whatsoever you don't gain any money. Oh and not to forget that most apps on the play store already collect more than enough data from your phone they can sell afterwards without having to root it.
I meant failed root could be the cause, if the op didn't then who did?. If no-one modded it then dead nand is the only player..
I agree with every thing else but I don't trust those apps that try to gain root in the background to steal data and I think it's too easy for them to bugger your phone just for the sake of making a few coins. Face it, if I was doing it, once I had what I wanted I wouldn't care about the device. Sod the gracious exit and all that jazz.. No evidence, no conviction.
Maybe I'm being ott but my questions and points are still valid.
This is a proper "who dunnit" because I doubt it died of its own accord.
Knox is for businesses btw. If knox is triggered, which is very easy to do, the business is advised not to buy the device as it "may" have been compromised. But if no company secrets are being held on the device then it's still good to use. Knox protection was counteracted by supersu. In a nutshell, unless you run a company knox is of no concern to the everyday user.
Just thought I'd chuck that in there, I'm versed in the arts of the s3 i9300. I moved from that phone to this m9.
Beamed in by telepathy.
Hello there,
I would like a more secure and private OS on my phone. Copperhead OS is interesting but I don't have the money to buy a device from them nor the know how to use the source. So my question, what is a good alternative. It seems like there are a lot of options here on XDA. It's my first time here and I'm not the most technical when it comes to software. I was able to switch all my home computing to linux/tails but working with my phone seems much harder. Any advice would be a huge help at this point.
What I think I know:
-I need to unlock my phone, and I have a Verizon Pixel XL. I found this article, (turns out new people can't post links but it is the page with the depixel8 tool), that I think will help me to unlock. Step one of this article mentions fastboot and adb which I think I get from Android SDK. So I'm pretty sure I first download the SDK (gonna find a guide to be safe) and then I do these steps through the terminal.
-Back up everything! I've removed all my pictures, I don't have a ton of contacts but I saved those else where too. Everything at this point can be lost, so when we say "back up everything" is there something I am missing? In my Desktop experience this also meant back up my old windows install, is this the case here? If so how do I do that?
-When the phone is unlocked, I then load a ROM on to it and select it in bootloader?
In summation, very lost, slightly confused, willing to learn! I'm just looking for an OS where I can use open source software, including the OS. Call me paranoid (fixes tin foil hat) but I'd rather try to keep my life private if even a little. Thank you for any help you can provide me in taking my first steps into something new.
If you are already on latest Verizon there is no way to unlock.
So no way to flash any custom roms.
But if security is what you want an unlock bootloader is just the other way. Less security.
Darn, I am on the latest version. I'm not able to unlock using the depixel8 tool? If that's the case I may just pick up a nexus and try to use Copperhead.
Lost And Confused said:
Darn, I am on the latest version. I'm not able to unlock using the depixel8 tool? If that's the case I may just pick up a nexus and try to use Copperhead.
Click to expand...
Click to collapse
If you're past 7.1 then sadly depixel8 won't work
Guess that's a done deal then. Instead of making a new thread I guess I'll just ask here. The way I understand it, Android is open source, but that doesn't mean the OS on my phone is open source. Seeing that the community here works with Android so much, are there any major privacy concerns running the latest version. As an example, Windows, especially Windows 10 is a privacy nightmare. I can't imagine Android is that bad, but what can you tell me?
I promise, I tried to do it myself by looking at some guides on here, but all the links are broken, there are mod addendums and warnings on some of the threads, and htcdev won't even let me log in! I reset my password and immediately entered the one they sent to me and it said incorrect login! Also powershell isn't working with adb services(term 'adb' is not recognized) and the HTC sync software is no longer available for download... not sure what to do!
I currently have a Pixel 3, but my last two phones were HTC phones. The M8(t-mobile) and the 10(sprint/unlocked). I used guides on this forum to root them both. However, I ended up giving the M8 to my sister when I got the 10. I relocked the bootloader so it could be stock again.
The status is "relocked." I want to use the old phones to tether wifi to two old computers that have no wifi connectivity. My HTC 10 does it perfectly, but it is an unlocked model and is still rooted. Back when I got the M8, carriers were very stingy about that kind of stuff, so it is not possible by default. I have seen a few ways to allow the phone to tether from wifi to usb, but they require root.
And now I am here... a couple hours trying to do something that I did once years ago pretty easily, but with a bunch of broken links and services.
Any help is greatly appreciated, I really don't want to pay and then wait for a wifi adapter.
Thanks
I got my hands on a Google Pixel 3XL phone modified by TotalSec. It seems like it has LineageOS modified by them and installed but bootloader locked without option to unlock it. Is there a way to force developer options thru OS somehow where I can unlock the bootloader? Tapping 7 times on build does nothing...they sell this phone for €1500 with 6 month service. After 6 months, phone is useless...
I don't know anything about TotalSec. I checked their site and see they offer the Pixel 3 and Pixel 3A. At 1500 euro, for 6 months use (I couldn't find the price for the ongoing subscription) this is clearly not a product intended for the consumer. I didn't see the 3XL.
I'm interested how they accomplished re-locking the bootloader on a Pixel device with a non-stock OS. Having to leave the bootloader unlocked is a security concern. I think many Pixel owners would like to unlock their bootloader, root or make other changes, then re-lock the bootloader.
It seems like they are running LineageOS as a base, modified it and locked it down. You have to literally log in, pay 1500 euros for 6 months of use. There is no option of tap build 7 times to enable developer options so I cant unlock the bootloader. Im currently in fastboot mode and will attempt to load new recovery and bootloader.
Is there a way to unlock a bootloader from fastboot mode?
My friend has one of those coming in. Pixel 4, specifically.
My guess is that they have custom AVB keys installed which allows them to relock the bootloader. Do you get a _yellow_, not orange, warning when you boot the device up?
Regardless, you should be able to flash stock even with a locked bootloader; https://flash.android.com/ should work just fine. I don't recommend you flash the device yet, unless it's your only device, as you might want to grab a copy of the OS just for ... giggles.
{Mod edit: Inappropriate language removed. Oswald Boelcke}
Thank you! Let me try it, it is my extra phone laying around with no use for anything at the moment. I use Pixel 7 Pro as a daily.
No go. It is telling me to enable OEM unlocking
{Mod edit: Inappropriate language removed. Oswald Boelcke}
what happens when you run `fastboot flashing unlock`? im not expecting anything to happen since the developer options are gone but I'm a tad curious. also, see if you can boot it to fastbootd.
there's also an app on fdroid called setedit, try to download it on that phone and search "development_settings_enabled". if it pops up set it to 1 and you should have the developer settings enabled
i won't lie to you i don't think there's anything that can be done. you could try manually installing the stock OS with the fastboot cli but i doubt it would lead to anything.
Yeah I think I tried that. Weird that OS level has triggers that switch on/off the bootloader and not CLI part! CLI should have priority and logically it makes more sense to be done now, not on OS level!
Did you found any solution, I have Pixel 4 with same situation I tried to sideload latest lineage OS flame via recovery to overwrite the existing system done with error !
Mine is stuck in fastboot, cant do anything! I wish I can wipe it and load a fresh OS! No luck so far!
At this point I'm tempted to get one of those devices for myself to experiment on. How much did you all get them for?
I got it for free from a friend of mine but prices are insane, it's $1500-$2000
I got a notification in my email, I dont see that message anymore, setedit app??
Oh yes, I edited the comment to remove it since it doesn't work for writing settings without some permissions that need to be given over ADB.
I'm trying to think what you can do, my friend got theirs and has so far been unable to do anything with it
Are you just trying to find a use for it? You might be able to completely reinstall everything with a firehose. I could try to find one for your pixel 3xl, there probably is one on XDA.
It's certainly a last resort and not something you should do for every device, but I'm running out of ideas and Qualcomm proprietary stuff is fun to mess with imo
pmnlla said:
Are you just trying to find a use for it? You might be able to completely reinstall everything with a firehose. I could try to find one for your pixel 3xl, there probably is one on XDA.
It's certainly a last resort and not something you should do for every device, but I'm running out of ideas and Qualcomm proprietary stuff is fun to mess with imo
Click to expand...
Click to collapse
I can send you a Google Pixel 3XL for free, with the bootloader locked from TotalSec. There are a lot of Google Pixels here in Albania that they have no use anymore because there are a lot of alternatives. But with the bootloader locked, we cannot do anything.
What do you mean by that? many useless phones because of the totalsec OS? shoot me an e-mail at [email protected], I know a few people who could possibly help.