29

General - (OPEN DEV) BruteRoot - A collection of Root Tactics (Possibly Force Bo...

 2 years ago
source link: https://forum.xda-developers.com/t/open-dev-bruteroot-a-collection-of-root-tactics-possibly-force-bootloader-unlock-on-na-samsung-s22.4468083/page-6#post-87247455
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

General (OPEN DEV) BruteRoot - A collection of Root Tactics (Possibly Force Bootloader unlock on NA Samsung S22?)

Copyrighted material?

Yes. Such as recently stolen internal Samsung files.

Reactions: Oswald Boelcke

I looked into the Galaxy Store vulnerability, CVE-2022-33708. I was on a patched version but uninstalling system updates for the app put me on a vulnerable version. I decompiled the APK using jadx and did find what I belive is how to perform this exploit. Theres a broadcast receiver that gets registered when installing and uninstalling apps from the store.

In the onReceive for the receiver theres a part where if the package installer receives an intent with the status -1 (STATUS_PENDING_USER_ACTION) then it launches another Intent thats provided in the first one. I think that this is what we're looking for.

Ignore the errors from decompiliation but this is what I'm talking about:
1658719291765.png
Hey if anyone needs a tester I'm willing to soft brick my phone for the cause. Or even a factory reset is no big deal to me. My software info is in the attached photo

Attachments

  • Screenshot_20220718-143307_Settings.png

    Screenshot_20220718-143307_Settings.png
    246.8 KB · Views: 64

Reactions: K0mraid3

1659012758195.png
Flashed! (NOT recovery! - Boot.img's on A/B. - Empty VBmeta)

Reactions: a63548 and bigron77

I looked into the Galaxy Store vulnerability, CVE-2022-33708. I was on a patched version but uninstalling system updates for the app put me on a vulnerable version. I decompiled the APK using jadx and did find what I belive is how to perform this exploit. Theres a broadcast receiver that gets registered when installing and uninstalling apps from the store.

In the onReceive for the receiver theres a part where if the package installer receives an intent with the status -1 (STATUS_PENDING_USER_ACTION) then it launches another Intent thats provided in the first one. I think that this is what we're looking for.

Ignore the errors from decompiliation but this is what I'm talking about:
View attachment 5667913

Oh ****! Good Find! Have you tried to exploit it yet? See if you could maybe tell it to overwrite some useless arbitrary file that has elevated privs?

Yes. Such as recently stolen internal Samsung files.

It would be3 great if there was a place we could say **** the BS semantics and just DO RESEARCH. I totally get the copyright issue, really. That can cause some serious BS and apologize for that, didn't realize I couldn't speak of it at all in that context.

Last edited by a moderator: Jul 28, 2022
It would be3 great if there was a place we could say **** the BS semantics and just DO RESEARCH. I totally get the copyright issue, really. That can cause some serious BS and apologize for that, didn't realize I couldn't speak of it at all in that context.

Watch the language, please. While there are many places on the Internet where such material might be shared, XDA is not one of them. It's stolen intellectual property that was never intended for the public domain. I can agree with most everyone here in the hopes that someone's able to use it in such a way that allows us to overcome the artificial restrictions placed on contemporary devices, but when it comes to the code itself, we must avoid any legal liability whatsoever. XDA is free; let's keep it that way.

Watch the language, please. While there are many places on the Internet where such material might be shared, XDA is not one of them. It's stolen intellectual property that was never intended for the public domain. I can agree with most everyone here in the hopes that someone's able to use it in such a way that allows us to overcome the artificial restrictions placed on contemporary devices, but when it comes to the code itself, we must avoid any legal liability whatsoever. XDA is free; let's keep it that way.

Very well explained, thank you for that, i do agree for the most part -again, apologies, force of habit on language.

Reactions: V0latyle

Very well explained, thank you for that, i do agree for the most part -again, apologies, force of habit on language.

I spent my entire 20s in the Marine Corps. I get it.

Reactions: K0mraid3

Johnmoerike

Member
Apr 28, 2018
It would be3 great if there was a place we could say **** the BS semantics and just DO RESEARCH. Ie totally get the copyright issue, really. That can cause some serious BS and apologize for that, didn't realize I couldn't speak of it at all in that context.

There is, Telegram. A large part of development is now happening there

There is, Telegram. A large part of development is now happening there

Invite me to a group? I've basically been in a shell the last 5 years so I don't know where to start to find others that are into this stuff. I'm full on Solo on this ATM. (Which is probably why it's taking so long, I'm having to figure everything out from scratch with only the help of Google, XDA and Android Developers website lol.

Reactions: xgerryx

Invite me to a group? I've basically been in a shell the last 5 years so I don't know where to start to find others that are into this stuff. I'm full on Solo on this ATM. (Which is probably why it's taking so long, I'm having to figure everything out from scratch with only the help of Google, XDA and Android Developers website lol.

If I could also get an invite that would be appreciated

Reactions: K0mraid3

If I could also get an invite that would be appreciated

Me too as well!

Reactions: K0mraid3

Me too as well!
me three!
If I could also get an invite that would be appreciated

I never got an invite but ill make a Telegram group for this topic.

I'll try to post in it as much as possible. Anyone is welcome to join. Let's try to use this as a resource for communicating new and potential exploits for collective work, dev and rev engineering as well as any questions.
t.me

Android Development and stuff..

Let's unlock every android phone on the market. One person can't do this alone, but as a collective, this can be done.
Last edited: Thursday at 8:14 PM

Johnmoerike

Member
Apr 28, 2018
I never got an invite but ill make a Telegram group for this topic.

They are littered throughout xda forums. One or more for every device. Look for the paid Samsung bootloader unlock thread, you will find a good link there.

Top Liked Posts

  • An update from kernel security researcher Zhenpeng Lin: he has reported the exploit to Google and will publish details after it has been fixed. He also believes this exploit will allow unlocking the bootloader.
    Devices & Linux Versions I or other Testers have Successfully Gained Root on:
    (Likely All) MTK CPU Based Android devices UP TO 11 (Maybe 12? I haven't tested) (I.e LG, Sony, Select Samsung devices)
    Android Devices with LINUX KERNEL VERSIONS - 5.8 - 4.14 - Maybe More? (Needs Testing)

    -THIS GUIDE IS NOT BEGINNER FRIENDLY - BASIC UNDERSTANDING OF PYTHON, UNIX/LINUX ETC WILL BE REQUIRED!-
    If you have been holding off updating your device, well here's some good news, your device may still be vulnerable to a method to gain root access (and subsequently, possibly the ability to edit Build.prop and therefore allow the ability for OEM unlocking on USA based devices.) <- correct me if I'm wrong, but this should be possible, and once done, should persist across updates, correct?

    As of the time of writing this, there is not currently a simplified APK method, but, still this process is relatively straight forward.
    Alot of the methods used HAVE been patched from what I understand, but there have got to be plenty of devices out there still which are not updated. This project aims to compile all current, former and future Root methods into an APK that will do all the leg-work. If its able to find a working method, the GUI will pop a root shell for the end user. This SHOULD work, regardless of the setting of the "OEM UNLOCK" option in the dev options. A bypass, essentially.

    Regardless, The project linked below uses a myriad of known exploits & vulnerabilities and looks to find one that will work.

    Methods used are:
    • Nearly all of GTFOBins
    • Writeable docker.sock
    • CVE-2022-0847 (Dirty pipe)
    • CVE-2021-4034 (pwnkit)
    • CVE-2021-3560
    It'll exploit most sudo privileges listed in GTFOBins to pop a root shell, as well as exploiting issues like a writable docker.sock, or the recent dirty pipe (CVE-2022-0847). More methods to root will be added over time too.

    There is also an alternative (Dirty Pipe) injection method the uses @topjohnwu 's Magisk , this should be implemented into the apk. See this Github repo, Here.

    I would imagine this could be implented in a way to target devices that have stopped being supported for updates, aswell, that do not have TWRP, such as the SM-T307U.

    One big note - I am betting there are still ALOT of devices that are in inventory at retailers that remain on the vulnerable OS. So keeping that in mind, I'd say this is worth building.

    What needs to be done:
    • TESTING!
    • Build APK - HELP NEEDED WITH THIS!
    • Deploy
    Main Goals:
    • Get bootloader unlock ability for devices normally not unlockable (I.e North American Samsung Galaxy S22, Etc)
      • Above can be achieved by getting temp root via methods detailed here or otherwise, then editing build.prop, altering the below settings (The settings may be worded differently or simply not present at all, depending on device and Firmware version):
      • sys.oem_unlocking_allowed to 1
      • ro.oem_unlock_supported to 1 (most devices are set to 1 by default.)
      • ro.boot.flash.locked to 0
      • ro.secure to 0
      • ro.debuggable to 1
      • I think there may be one or two more that pretaint to Flash.locked. I.e flash.locked.other--or something very close.
    • Locally, gain temp root (System preferred, but any root will do.) on as many device types as possible.
    • Give device control back to end user.
    • Stay up-to-date on new exploits for root access & update apk accordingly.
    • STAY ETHICAL!!!! This is, in the end, a research project. Meaning all work preformed in the context of this project could result in a damaged or bricked device. By participating in this project you acknoledge these risks and accept them, and agree to not hold me, XDA, or anyone else responsible if you do some dumb ****. - k0mraid3
    Github Project link: HERE for my fork & HERE for the original project.
    My fork will incorporate the original project, as well as other found root access methods, such as the magisk injection method mentioned above - my repo is mainly used as a hub for the APK's dev - i don't have enough time to work on it at the moment but all are welcome to help.

    July 15th 2022 (UPDATE) (SAMSUNG DEVICES ONLY): A new Escalation method has been found via the Galaxy app store (Versions BEFORE Galaxy Store 4.5.41.8). No details known yet, but it is said to be very easy. See CVE-2022-33708 (July132022). Unknown if downgrading the app to 4.5.0.0 will enable the method again or not.

    Cred: liamg

    One method to run Traitor on device - Thanks @DevinDking for sharing this.
    Steps to get script on phone.
    //
    #!/bin/sh
    set -e
    dir=/data/local/tmp
    adb=${adb:-"adb"}
    $adb push traitor ${dir} //This puts file on phone make sure to run the terminal where its located
    $adb shell chmod 755 ${dir}/traitor"
    //
    Now to run script start a new terminal
    //
    adb shell
    #!/bin/sh
    set -e
    dir=/data/local/tmp
    adb=${adb:-"adb"}
    ${dir}/traitor //script opens
    //
    But I assume this wouldn't work right, and isn't right.
    Idk trying my best here xD
    Tools & References:Interesting Attack vectors -
    • GFX Componets of a system.
    • Issues with Linux itself (i.e Dirty Pipe)
    • Privilage escalation via any means (I.e GTFOBins)
    • unprotected system process - Hijack them if possible (i.e RILService Mode, and a wide range of other OEM apps left on devices after ship)
    7/24/22 - Samsung, LG & Other OEM's obfuscating (Intentionally Hiding) Fastboot and ADB Bootloader interfaces on PC

    So over the last week or so i dived head first into USB Dev - ill save you the time and sum it up.
    Vendors and OEM's are actively obfuscating the USB connection between your smartphone and the PC to keep you from Rooting. As far as im aware, there is no Universal way to fix this as each OEM screws with the USB drivers differently. THIS needs to be a point of focus for the rooting community. However, i have found a few tools for Dev if you wish to screw with this. (I'll upload them tonight)

    7/24/22 - MTK (MediaTek) based Exploits

    I Will try to compile a few methods for FORCING Bootloader Unlock on MTK based Devices as well as a way for manipulating said devices. I will attach two tools to this thread, these tools are EXTREMELY POWERFUL and can completely **** up your device. When i say REALLY F*CK UP your device, I mean to the point you cant even access recovery, Download OR bootloader mode. I'm Talking a blank DEAD device. So use with caution.

    With that said, lets talk about the tools. You will need a basic understanding of Python to make use of MTK Client
    First up, we have MTK Meta Utility (Currently Version 44) (Download Below)
    Next we have MTK Client (Github Link)

    So what can you do? Well, you can crash the Preloader to Brom with MTK Meta Utility while at the same time using MTK Client to send any payload you like to the device via Fastboot.

    I know, vague right now, but ill add detail over the coming days.

    I will continue to update the below list as new methods are discovered.

    If you find Guides, tutorials or new exploits, please link them in the comments so I can include them in future development!

    Telegram Channel: Here.

    Information on Vulnerabilities, exploits & methods - CVE-2022-0847 (Jfrog) - The Story Of "Dirty Pipe" - XDA - Dirty Pipe - PWNKIT (CVE--2021-4034) - CVE-2021-3560 - Docker Breakout / Privilege Escalation - CVE-2022-33708 (July132022) - CVE-2022-33701 (July122022) - CVE-2022-22268 (Unlock Knox Guard with DEX) (JAN2022) - MTK Client -


    Dev Team & credit to -
    @topjohnwu - LiamG - @wr3cckl3ss1 - bkerler -

    UPDATED - 7/29/22
    I'll try to post in it as much as possible. Anyone is welcome to join. Let's try to use this as a resource for communicating new and potential exploits for collective work, dev and rev engineering as well as any questions.

    Android Development and stuff..

    Let's unlock every android phone on the...
    I was able to get this by running "traitor-arm64" on my phone.

    Steps to get script on phone.
    //
    #!/bin/sh
    set -e
    dir=/data/local/tmp
    adb=${adb:-"adb"}
    $adb push traitor ${dir} //This puts file on phone make sure to run the terminal where its located
    $adb shell chmod 755 ${dir}/traitor"
    //
    Now to run script start a new terminal
    //
    adb shell
    #!/bin/sh
    set -e
    dir=/data/local/tmp
    adb=${adb:-"adb"}
    ${dir}/traitor //script opens
    //
    But I assume this wouldn't work right, and isn't right.
    Idk trying my best here xD
    Capture.PNG
    There is also a new vulnerability exploit by Zhenpeng Lin that allows for privilege escalation on Pixel 6 and and Galaxy S22 devices running 5.10 kernel.

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK