Hello All,
I was wondering if the Dirty COW exploit detailed here:
https://gist.github.com/Arinerron/0e99d69d70a778ca13a0087fa6fdfd80
Could be used to root our S7Edges on VZ and others.
-Kev
This would only provide a temporary root, if it even worked, that would not all changes to the /system partition. We have dm-verity checks that are enforced, and all changes to the /system partition would be reverted on reboot. So it would not be a plausible solution, at all.
I think that if we are able to have an app that on startup remake the temporary root working, it's the same then modifying the system init sequence.. no?
Related
I know iovyroot for the Z5C allowed this backup but with the recent COW (Copy on Write CVE-2016-5195) vulnerability has anyone been able to develop a way to backup/restore TA partition?
Question: Has anyone developed a tool to backup and restore TA partition for the X Compact yet?
Answer: Yes, by rayman. This method requires firmware 34.1.A.1.198.
http://forum.xda-developers.com/crossdevice-dev/sony/universal-dirtycow-based-ta-backup-t3514236
*Edit: Figured I would update this post since a TA backup was found.
If I understand correctly the only way to backup TA on the z5 is to downgrade to lollipop first. As the XC shipped with 6.0 and there is no way to downgrade and get full root access without unlocking the bootloader, without full root no way to access the TA partition. I don't believe any sony device shipped with marshmallow can be rooted without destroying the TA partition at this time.
The dirty cow exploit is basically a proof of concept at this point, you can get a root shell but thats about it. Hopefully someone will soon find a way to use it to get full root access.
Yes people were capable of backing up TA because of a root exploit on the Z5C lollipop rom. I'm not entirely convinced we need full root with permissive sepolicy.
Could any dev's tell me if a recompile of the toolkit binary with root user hardcoded (setresuid, setresgid) could allow the use of the dd command for TA backup or would there still be SELinux issues with the recompiled toolkit binary?
I'm rooted using Magisk and I'm using ElementalX kernel, I do not have TWRP installed as I want to get OTAs... my question is, can I re-ecrypt my data without losing Magisk? I remember TWRP having problems decrypting the partition when I first tried to install Magisk/EX so, in case I lose Magisk, can I reinstall Magisk/EX in TWRP or Fashfire once I re-encrypt my device? (i.e. can TWRP decrypt "user encrypted" data partitions? and/or can Magisk run from an encrypted data partition?)
jhonyrod said:
I'm rooted using Magisk and I'm using ElementalX kernel, I do not have TWRP installed as I want to get OTAs... my question is, can I re-ecrypt my data without losing Magisk? I remember TWRP having problems decrypting the partition when I first tried to install Magisk/EX so, in case I lose Magisk, can I reinstall Magisk/EX in TWRP or Fashfire once I re-encrypt my device? (i.e. can TWRP decrypt "user encrypted" data partitions? and/or can Magisk run from an encrypted data partition?)
Click to expand...
Click to collapse
You have a premise incorrect here... If you are not 100% stock, you CANNOT take an OTA, even if you have stock recovery... you have modified the kernel, ramdisk image (Magisk), and likely the system partition (if not, why did you bother to root?), so OTA updates will FAIL. Even with FlashFire they are less there is less than a 50% success rate with this device when rooted.
Although I haven't tried in a long time, TWRP should handle encryption fine, as long as you know the password/PIN... I can't speak for ElementalX specifically, but it is a mainline kernel so I think it should be fine.
The point is that once you have unlocked the bootloader, your device security is pretty much zero... that is kind of a given, encryption helps safeguard your private information, but unlocked bootloader negates FRP and anyone could just fastboot TWRP, wipe and enjoy using your device. This is one of the reasons (of several) that I have stopped unlocking the bootloader and rooting anymore.
My question was mainly about Magisk and TWRP working with encrypted partitions.
About the security, I'm aware of the implications and I just want to keep my data safe, which is more important than the device itself.
As for the device modifications, AFAIK ElementalX uses the ramdisk just as Magisk does, it doesn't write anything to the kernel partition, also, I haven't modified /system at all; all possible modifications I've done have been through Magisk modules and Xposed (which I installed systemlessly of course). The main reason I rooted is indeed Xposed so I can use stuff like NeoPowerMenu, Whatsapp Extensions, ActivityForceNewTask, etc.
Given the fact that I've only modified the ramdisk so far, are you sure that I can't accept OTAs? (I know they'll break my current setup, but it should be easy to fix)
jhonyrod said:
My question was mainly about Magisk and TWRP working with encrypted partitions.
About the security, I'm aware of the implications and I just want to keep my data safe, which is more important than the device itself.
As for the device modifications, AFAIK ElementalX uses the ramdisk just as Magisk does, it doesn't write anything to the kernel partition, also, I haven't modified /system at all; all possible modifications I've done have been through Magisk modules and Xposed (which I installed systemlessly of course). The main reason I rooted is indeed Xposed so I can use stuff like NeoPowerMenu, Whatsapp Extensions, ActivityForceNewTask, etc.
Given the fact that I've only modified the ramdisk so far, are you sure that I can't accept OTAs? (I know they'll break my current setup, but it should be easy to fix)
Click to expand...
Click to collapse
Positive... 99% sure they will fail. And although Xposed may be installed systemless, it's modules still modify /system.
I'm following the topjohnwu's guide on how to update with Magisk but I do not find it clear enough. Are these the steps I need to take in order to not-brick and update my phone with the Feb update.
1. Uninstall Magisk by "restore images" option.
2. Install OTA
3. Reboot to reinstall Magisk on second slot
Magisk is NOT installed on the second partition! And I prefer not to flash back the original image just to do that. My system should be read only and I do not have twrp, I never had, I updated my Google services framework from apkmirror and I got the update, now how do I apply it without soft bricking?
Update
Step 2 failed, "installation problem". Wtf do I do in order not to lose Magisk or data?
Edit
I've uninstalled Magisk but haven't restarted, hoping to get a solution where I keep my sh*t since that's what the guide said...
Edit 2
I'm reading the other thread but I'm having trouble finding a single useful information there, quote one if you find it, it might be my autism that I don't see a solution in that three pages long thread. Tell me I need to MiFlash this sh*t so I calmly jump through my window instead of wasting the whole night on making it work, then wasting another day on backing my sh*t up.
Edit 3
Fully uninstalled Magisk by instructions of an indian guide. BOOTLOOP.
Note to self, stop following southern asian guides.
Downloaded ROM and MiFlash, flashed flash_all_except_storage.bat.
Shook for 4 minutes until "success" mark, successful reboot.
Edit 4:
follow the regular magisk flash guide https://forum.xda-developers.com/mi-a1/help/how-to-root-mi-a1-february-ota-update-t3757934
If you got into bootloop after Magisk uninstallation, you did modify system partition at some point. This is also the reason why you couldn't install OTA. Magisk OTA update guide works perfectly fine for unaltered system partition.
_mysiak_ said:
If you got into bootloop after Magisk uninstallation, you did modify system partition at some point. This is also the reason why you couldn't install OTA. Magisk OTA update guide works perfectly fine for unaltered system partition.
Click to expand...
Click to collapse
That's what I figured, but how? I just did exactly everything I did before the OTA attempt, I just installed few modules and touched nothing else. At which point could've I touched system partition?
So I'm reading now that apps can still alter /system with the Magisk root perm, so, I what about one of these apps.
1. Does anyone know if they can mess with the system?
BusyBox
Greenify
Lucky patcher (this c*nt is my main suspect)
Titanium backup
2. Can we somehow make sure that we haven't touched the system partition before OTA attempt?
3. Once I've redone everything (flash Rom without storage, install OTA, install Magisk), my system shouldn't be touched now, right?
A14DWIN said:
That's what I figured, but how? I just did exactly everything I did before the OTA attempt, I just installed few modules and touched nothing else. At which point could've I touched system partition?
So I'm reading now that apps can still alter /system with the Magisk root perm, so, I what about one of these apps.
1. Does anyone know if they can mess with the system?
BusyBox
Greenify
Lucky patcher (this c*nt is my main suspect)
Titanium backup
2. Can we somehow make sure that we haven't touched the system partition before OTA attempt?
3. Once I've redone everything (flash Rom without storage, install OTA, install Magisk), my system shouldn't be touched now, right?
Click to expand...
Click to collapse
Please keep in mind that Magisk is 2in1 package. First of all it provides root access, any app with root access can modify system directly. Second feature are systemless modifications, but you must follow defined rules to make them work.
From your list of apps, BusyBox would be my first suspect. You must use Magisk BusyBox module, the standard BusyBox is installed directly to the system partition. Lucky app might be the culprit too, though it depends on which features exactly did you use.
Yes, once you reflash stock ROM, apply OTA and install Magisk (the correct way), you're system partition will be ready for the next OTA.
Someone mentioned one command which could verify the last modification date of any partition, but can't find it right now.
_mysiak_ said:
Please keep in mind that Magisk is 2in1 package. First of all it provides root access, any app with root access can modify system directly. Second feature are systemless modifications, but you must follow defined rules to make them work.
From your list of apps, BusyBox would be my first suspect. You must use Magisk BusyBox module, the standard BusyBox is installed directly to the system partition. Lucky app might be the culprit too, though it depends on which features exactly did you use.
Yes, once you reflash stock ROM, apply OTA and install Magisk (the correct way), you're system partition will be ready for the next OTA.
Someone mentioned one command which could verify the last modification date of any partition, but can't find it right now.
Click to expand...
Click to collapse
Dang I really need that command.
_mysiak_ said:
Please keep in mind that Magisk is 2in1 package. First of all it provides root access, any app with root access can modify system directly. Second feature are systemless modifications, but you must follow defined rules to make them work.
From your list of apps, BusyBox would be my first suspect. You must use Magisk BusyBox module, the standard BusyBox is installed directly to the system partition. Lucky app might be the culprit too, though it depends on which features exactly did you use.
Yes, once you reflash stock ROM, apply OTA and install Magisk (the correct way), you're system partition will be ready for the next OTA.
Someone mentioned one command which could verify the last modification date of any partition, but can't find it right now.
Click to expand...
Click to collapse
Don't bother trying to find it, it exists, I'll make a dedicated thread at some point, thanks for the answer, BusyBox seems logical.
The correct way to install Magisk? I just flash Ranjit's patched img from the official thread on Magisk root, that should be the correct way.
I just use lucky to patch cirtain apps, so that shouldn't be a problem
Right now, I'm giving Magisk root perm to Greenify, Lucky Patcher and Unified Hosts. Also both Greenify and the Unified hosts adblock have their own modules in magisk.
Hopefully I still haven't touched my system partition.
I encountered the error as well after trying the Pixel OTA method. To flash the update successfully, I flashed stock January system and boot img via fastboot and it updated properly after. Then I just patched the stock Feb boot img and went back to fastboot. Once there, i did the fastboot boot command with the patched Feb boot.img so I got root back after updating.
Sent from my Xiaomi Mi A1 using XDA Labs
HI,
I have a redmi5+ rooted. I use luckypatcher (i applied some patchs to some apps) and i have installed once BusyBox (didn't do anything in special).
I want to know if it is secure to flash the full update?
PS: how do I confirm if the system files and vendor are ok to proceed?
Thanks
cant you flash the ota in twrp and then reflash magisk if needed?
robgee789 said:
cant you flash the ota in twrp and then reflash magisk if needed?
Click to expand...
Click to collapse
Yes, I can do that.
I Know the procedure to flash full zip file via TWRP. Via this toturial: youtube.com/watch?v=oUUzxYHV_ac&t=1s&index=11&list=WL
But i want to know if it is secure to flash, because i used these two applications.
Hi,
Sometime back I unlocked the boot loader, used magisk to enable the camera2 api. After that I uninstalled magisk and tried to reloack the bootloader. Everything went inorder until I tried to relock the bootloader. But once I typed in the command to relock the bootloader, and restarted, the mobile showed something like, no os found or something like that, I don't remember correctly. Anyway I was not able to boot into the system. So I unlocked the bootloader again and flashed the patched boot image and did it all over again.
So now, my mobile is unlocked, but is working fine. Is there anyway I can reloack it without any issues?
I read something like, if I had changed anything in the system partition this might happen. But that was the reason I used magisk instead of editing the file. Magisk plugin just changes a variable instead of editing the build props file. So until I reset the device, the camera2 api will be enabled without changing any files in the system partition. But still the reloacking fails. So what could be the problem here?
Locking the bootloader will fail if the boot image is not changed back to the original unpatched one. Maybe the uninstall didn't run properly.
You do not need magisk to enable the camera2api attribute, just an adb command is needed. The magisk module method is just easier for noobs.
You can manually add the lines to enable camera2api and eis in build.prop
You can do that and relock the bootloader normally
berezker said:
You can manually add the lines to enable camera2api and eis in build.prop
You can do that and relock the bootloader normally
Click to expand...
Click to collapse
barrack1 said:
Locking the bootloader will fail if the boot image is not changed back to the original unpatched one. Maybe the uninstall didn't run properly.
You do not need magisk to enable the camera2api attribute, just an adb command is needed. The magisk module method is just easier for noobs.
Click to expand...
Click to collapse
What about the OTA updates? Will I be getting that if I changed the build.props file?
Because the way with magisk helps me get all the OTA updates. I just got one yesterday. I don't want to lose this. I read somewhere that editing any files in the system partition will stop receiving the OTA updates.
obscurant1st said:
What about the OTA updates? Will I be getting that if I changed the build.props file?
Because the way with magisk helps me get all the OTA updates. I just got one yesterday. I don't want to lose this. I read somewhere that editing any files in the system partition will stop receiving the OTA updates.
Click to expand...
Click to collapse
OTA will not work if any file on the /system including build.prop is changed.
All that is needed to enable gcam on this particular device is to enable the api through adb commands which does not change the system partition.
obscurant1st said:
What about the OTA updates? Will I be getting that if I changed the build.props file?
Because the way with magisk helps me get all the OTA updates. I just got one yesterday. I don't want to lose this. I read somewhere that editing any files in the system partition will stop receiving the OTA updates.
Click to expand...
Click to collapse
OTA will not work if any file on the /system including build.prop is changed.
All that is needed to enable gcam on this particular device is to enable the api through adb commands which does not change the system partition.
I've got a H870 from Israel with locked bootloader that isn't going to be unlocked (thanks for nothing, LG).
Now I've downgraded it from Pie to Oreo, as the Oreo kernel is vulnerable to CVE-2019-2215; thanks to https://repo.or.cz/cve2019-2215-3.18.git I've got a working su binary that sets SElinux to permissive and gives me a root shell.
I'm looking for a way to integrate this with one of the usual root apps (ideally Magisk), but I'm somewhat at a loss as to how these do their magic, especially in a way that doesn't involve messing with /system (which cannot be mounted r/w and comes from a ramdisk anyway (as far as I understand it).
Does anybody have experience with this? Can Magisk do a systemless install, and can its su be substituted by my own su?
Thanks for any input