Hey all. Currently, evilpotatoman has gotten us closer than ever to achieving root with our phones. He's out of commission at this time until his device back comes in, which could take 2 weeks or more. He has extended the torch to any dev who might be interested in taking a crack at it with his notes (included below). Reference the bounty thread here for details about the bootloader/root bounty information.
!!!!PLEASE DO NOT POST YOUR BOUNTY AMOUNTS HERE!!!! DO IT IN RAYLON00'S THREAD FOR CONTINUITY: http://ift.tt/1SCzxRp
You can PM evilpotatoman here: http://ift.tt/1mZxszk
!!!!PLEASE DO NOT POST YOUR BOUNTY AMOUNTS HERE!!!! DO IT IN RAYLON00'S THREAD FOR CONTINUITY: http://ift.tt/1SCzxRp
Quote:
| Originally Posted by evilpotatoman (Post 66233540) Here's where it's at, but first a few notes and thoughts; A) Even after upsetting dm-verity, the system remained somewhat stable* *The only issues I see are the system:custom message, an unlocked boot logo, and that the stock installer refuses to install anything but FOTAs or a sec_csc.zip flashed on the CACHE partition. If cleared, the system boots up normallyB) It's extremely difficult to reverse dev this device - Every piece of secure-trust-knox-DRK-verity-crapola increases the chance of a misstep and ending up with a really nice IOT brick. Because of all this security, looking for buffer overflows and random execs would take ages. I focused on stupid programming mistakes, sifting through log files, much like I did when developing the original Note 3 recovery method. C) The HOME_CSC partition file that seems to fail typical odin flashes -- It sets something permanent, like kind of hard-coding the verity keys. During my testing, I flashed one only to later realize that my CSC was then hard-coded to Chinese branding. Before that flash, I could mess around with the branding at will (and subsequently write to the system partition). It was only after I flashed that CSC_HOME that dm-verity actually failed. In short -- I had root BEFORE download mode labeled my system as custom. I flashed HOME_CSC, dm-verity then failed when I changed the CSC following the hard-code. I have yet to fully re-create my EFS partition, and sent it to someone who wears darker hats than I for a fix. Because I won't have the phone for a while (at least 2 weeks), I've decided to give a brain dump in hopes that someone can pick up where I left off. PM me for additional details, but the following should get better devs searching for a more stable method. sec_csc.zips (found in cache.img.ext4) can be used to modify the system partition, and the partition itself isn't signed. Those zips also set the region. *A particularly interesting csc zip exists for the G9300's CSC file..... Odin happily flashes specific "partitions" individually, so piece-meal it out. nand partitions can be written to while still failing in odin (but system.img is signed in 2 places, so fyi) The exploit leverages those download-mode/recovery, plus the stupid programming error found below: on the stock firmware, there's a boot script that calls a missing binary, which is a perfect -in- for the su daemon. |
from xda-developers http://ift.tt/1SCzyEV
via IFTTT
No comments:
Post a Comment