Difference between revisions of "Revue software root"
(→Bugs) |
|||
Line 29: | Line 29: | ||
===Bugs=== | ===Bugs=== | ||
This is unstable and should be seen as more of a POC (Proof of concept) than a public release. This exploit makes the box unstable and is not persistent between boots (which means you will have to run this each time you start the device). We are working on fixing this but are having to jump through quite a few hurdles because of the signed partitions. We will update this page with progress when/if we come up with a work around. | *'''Persistence''' - This is unstable and should be seen as more of a POC (Proof of concept) than a public release. This exploit makes the box unstable and is not persistent between boots (which means you will have to run this each time you start the device). We are working on fixing this but are having to jump through quite a few hurdles because of the signed partitions. We will update this page with progress when/if we come up with a work around. | ||
==Exploiting== | ==Exploiting== |
Revision as of 08:08, 4 August 2012
WARNING
The links on this page contain the until now unreleased Revue root. This is being released as a way to allow the more skilled members of the community to look at. The root is incredibly unstable and we are providing it unpackaged to prevent it from being used by someone who may end up damaging their box. As bliss described it, “it is like punching the device in the face while telling it that it’s not getting hit”. If you are looking to get root to help achieve some form of optimal Android experience from the box, then please wait for a better packaged version with persistence. If you are technically savy and are willing to risk damaging your box, gambling on how skilled you are, then feel free to give it a shot. Please note that you are likely to brick your device much like we have bricked ours many times (but we have fancy-pants hardware recovery mechanisms).
About
About nandpwn
Coming Soon.
Exploit Flow
- Use /dev/devmem to map NAND controller's hardware registers into address space
- Leverage kernel info leak to resolve virtual address of current process' kernel stack
- Write to hardware registers to trigger DMA on top of offset from base of kernel stack
- Since addr_limit is raised (hopefully), can read()/write() to write/read arbitrary kernel memory
- Fixup sysenter_return, overwrite restart_block function pointer to point to payload
- Trigger function pointer to escalate privileges and win!
About codesign
Coming Soon.
About blockwrite
Coming Soon.
Work In Progress
Hurdles
- ADBD designed to never run as root. (Completed)
- Signed /system, /boot, kernel, recovery, bootloader
- nosuid /cache, /data, /sdcard
- nodev /cache, /data, /sdcard
Bugs
- Persistence - This is unstable and should be seen as more of a POC (Proof of concept) than a public release. This exploit makes the box unstable and is not persistent between boots (which means you will have to run this each time you start the device). We are working on fixing this but are having to jump through quite a few hurdles because of the signed partitions. We will update this page with progress when/if we come up with a work around.
Exploiting
Required Tools
- ADB (Android Debug Bridge)
- x86 Compiler
Building the code
We are not posting how to build the code as if you are unable to build an x86 binary you probably shouldn't be attempting this root in the first place.