android-rooting-tools / android_run_root_shell Goto Github PK

shell@MagicBox_T17:/ $ cd /data/local/tmp
cd /data/local/tmp
shell@MagicBox_T17:/data/local/tmp $ ./run_root_shell
./run_root_shell


Device detected: MagicBox_T17 (LMY47V.20200724 test-keys)

Try to find address in memory...
Attempt msm_cameraconfig exploit...
Detected kernel physical address at 0x00108000 from iomem

Attempt fb_mem exploit...
Detected kernel physical address at 0x00108000 from iomem
You need to manage to get remap_pfn_range address.

Try copying kernel memory... It will take a long time.
Attempt pingpong exploit...
Attempt futex exploit...
failed to exploit...
Attempt get_user exploit...
connect(): failed
Attempt get_user exploit...
error in setsockopt().
error in setsockopt().
Failed to get prepare_kernel_cred address.
Failed to get commit_creds address.
Failed to get ptmx_fops address.
Failed to get prepare_kernel_cred address.
Failed to get commit_creds address.
Failed to get ptmx_fops address.
MagicBox_T17 (LMY47V.20200724 test-keys) is not supported.
Failed to setup variables.
MagicBox_T17 (LMY47V.20200724 test-keys) is not supported.
Failed to setup variables.
1|shell@MagicBox_T17:/data/local/tmp $

This is the log and I don't know the reason. Maybe YunOS has some changes?
BTW, I' m running the adb 1.0.32 in Windows Vista lol.

https://github.com/saelo/cve-2014-0038
Local root exploit
Retrieve addresses from /proc/kallsyms and run the exploit

Any chance this will work for new sony devices?

I use device SCH-I739 (JZO54K.I739KEAMC4 ) execute run_root_shell .
device auto reboot when futex exploit . fail root.

That's Samsung S4 from Verizon.

Kernel is 3.4.0 so put_user should work.

Try copying kernel memory... It will take a long time.
Attempt get_user exploit...
Search address in memroy...
Using kallsyms_in_memroy...
prepare_kernel_cred = 0xc00a6fcc
commit_creds = 0xc00a6a94
ptmx_fops = 0xc1176cc8
..
Attempt put_user exploit...

in my phone ,i can not find ptmx_fops (android 4.0.3 & kernel 3.0.8)

Could you make a list of all the rootkits used, external references (like linux kernel bugtracker links), and possible risks as well as system files overwritten/misused?
It would make people like me a lot more comfortable using these tools.

On Execute ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk
gives error
Android NDK: Module run_root_shell depends on undefined modules: cutils c dl icuuc icui18n utils log
Please help me how to define module

I have HTC J ONE (htl22)with hboot 1.54 mainver 2.21.970.2 , Just want to root it for sim unlock , when I try run_root_shell , It doesn't work . How can I root It.

hi ...
i do steps but some error thrown ..
................................
access failed: "device.db"
access failed: "/data/local/tmp/device.db"

FATAL ERROR: DB file open failed.
Make sure install "device.db" from device_database!
..............................
help
thanks

Hi,

on GT-I9195 JDQ39.I9195XXUAMF5 the getuid() call returns 0 but system and execl fail (perror("execl") says "Permission denied"). Any idea what causes this?

I can get execl to work using the following workaround:

diff --git a/main.c b/main.c
index 60f5cc0..9156268 100644
--- a/main.c
+++ b/main.c
@@ -202,7 +202,9 @@ main(int argc, char **argv)
   if (command == NULL) {
     system("/system/bin/sh");
   } else {
-    execl("/system/bin/sh", "/system/bin/sh", "-c", command, NULL);
+    if (fork() == 0) {
+      execl("/system/bin/sh", "/system/bin/sh", "-c", command, NULL);
+    }
   }

   exit(EXIT_SUCCESS);

1|shell@android:/data/local/tmp $ ./run_root_shell -c id                       


Device detected: GT-I9195 (JDQ39.I9195XXUAMF5)

Attempt acdb exploit...
GT-I9195 (JDQ39.I9195XXUAMF5) is not supported.

Attempt fj_hdcp exploit...

Attempt msm_cameraconfig exploit...
Detected kernel physical address at 0x80208000 form iomem

Attempt put_user exploit...
shell@android:/data/local/tmp $ uid=0(root) gid=0(root) context=u:r:kernel:s0

shell@android:/data/local/tmp $ 

/dev/memalloc and so on are vulnerable, they can mmap kernel directly.
Tested on K3v2 devices in China, works fine.
Tested on EMobile GL07S, unfortunately modification on kernel code works, while modification on kernel data/bss won't sync, don't know why, maybe ccsecurity?

Android NDK: APP_PLATFORM not set. Defaulting to minimum supported version android-14.
Android NDK: WARNING:libexploit/Android.mk:exploit: LOCAL_LDFLAGS is always ignored for static libraries
%USERDIR%/android-ndk-r15c/build//../build/core/build-binary.mk:688: Android NDK: Module run_root_shell depends on undefined modules: cutils c dl icuuc icui18n utils log
%USERDIR%/android-ndk-r15c/build//../build/core/build-binary.mk:701: *** Android NDK: Aborting (set APP_ALLOW_MISSING_DEPS=true to allow missing dependencies) . Stop.

I got that error after running ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk

Hi,
please, could you get it work for the new asus memo pad 10 fhd
with intel soc x86 z2560 and android 4.2.2?

Its an intel x86 soc and if i compile, i only get arm binary!
Big thanks!

libra:/sdcard/test $ ls -l
-rw-rw---- 1 root sdcard_rw 399712 2017-10-14 08:53 run_root_shell
libra:/sdcard/test $

libra:/sdcard/test $ chmod +x run_root_shell
chmod: chmod 'run_root_shell' to 100771: Operation not permitted

SimonMacBookPro:android_run_root_shell simon$ ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk
Android NDK: WARNING:libexploit/Android.mk:exploit: LOCAL_LDFLAGS is always ignored for static libraries
[armeabi] Compile thumb : run_root_shell <= cred.c
[armeabi] Compile thumb : run_root_shell <= kallsyms.c
[armeabi] Compile thumb : run_root_shell <= main.c
[armeabi] Compile thumb : run_root_shell <= mm.c
[armeabi] Compile thumb : run_root_shell <= ptmx.c
[armeabi] Compile thumb : exploit <= exploit.c
libexploit/exploit.c: In function 'find_kernel_text_from_iomem':
libexploit/exploit.c:114:5: warning: format '%x' expects argument of type 'unsigned int', but argument 2 has type 'long unsigned int' [-Wformat=]
printf("Detected kernel physical address at 0x%08x from iomem\n", kernel_ram);
^
[armeabi] Compile thumb : exploit <= mmap.c
[armeabi] StaticLibrary : libexploit.a
[armeabi] Compile thumb : kallsyms <= kallsyms_in_memory.c
[armeabi] StaticLibrary : libkallsyms.a
[armeabi] Compile thumb : diagexploit <= diag.c
[armeabi] StaticLibrary : libdiagexploit.a
[armeabi] Compile thumb : perf_event_exploit <= perf_event.c
[armeabi] Compile thumb : perf_event_exploit <= perf_swevent.c
[armeabi] StaticLibrary : libperf_event_exploit.a
[armeabi] Compile thumb : msm_acdb_exploit <= acdb.c
[armeabi] StaticLibrary : libmsm_acdb_exploit.a
[armeabi] Compile thumb : fj_hdcp_exploit <= fj_hdcp.c
[armeabi] StaticLibrary : libfj_hdcp_exploit.a
[armeabi] Compile thumb : fb_mem_exploit <= fb_mem.c
[armeabi] StaticLibrary : libfb_mem_exploit.a
[armeabi] Compile thumb : msm_cameraconfig_exploit <= msm_cameraconfig.c
[armeabi] StaticLibrary : libmsm_cameraconfig_exploit.a
[armeabi] Compile thumb : put_user_exploit <= put_user.c
[armeabi] StaticLibrary : libput_user_exploit.a
[armeabi] Compile thumb : get_user_exploit <= get_user.c
[armeabi] StaticLibrary : libget_user_exploit.a
[armeabi] Compile thumb : futex_exploit <= futex.c
[armeabi] Compile thumb : futex_exploit <= exploit.c
libexploit/libfutex_exploit/exploit.c:82:8: error: redefinition of 'struct mmsghdr'
struct mmsghdr {
^
In file included from libexploit/libfutex_exploit/exploit.c:24:0:
/opt/android-ndk-r10b/platforms/android-L/arch-arm/usr/include/sys/socket.h:99:8: note: originally defined here
struct mmsghdr {
^
make: *** [obj/local/armeabi/objs/futex_exploit/exploit.o] Error 1

get sources here : https://www.dropbox.com/s/7bwrd6kznp31lfi/rootkit.zip

I modded original code as follow ;

The tool reads addresses from a text file (one included for LT26 in zip bundle). By looking code, you will see how those addresses are affected to variables and what it means ;-)

Regards,
Androxyde

Installed ndk, added to path, ran ndk-build (details in README.md).
Fails with missing ./jni/Android.mk:

https://gist.github.com/lembark/9147360

hi ..
in the perf_event.c we have this function syscall_perf_event_open
and this code in line 173
uint64_t buf[10] = { 0x4800000001, offset, 0, 0, 0, 0x300 };
then we have this
syscall(__NR_perf_event_open, buf, 0, -1, -1, 0);
what this syscall do??
what is the meaning of those parameter which we send 0,-1 ,-1,0?
thanks a lot for helping

Device detected: M356 (Flyme OS 4.5.7.1A)

access failed: "device.db"
access failed: "/data/local/tmp/device.db"

FATAL ERROR: DB file open failed.
Make sure install "device.db" from device_database!

Please tell me how to solve this problem

I don't know anything about coding or something and "One click root" apps don't work on my phone(LG X Power; LGE-K220). Can someone please help me. My discord` SourCreamKun#0356. I have already downloaded everything connected with this question but don't know what to do.

I am going to use libpingpong PoC in my Android nexus 5 device,

I have developed an apk file and integrate libpingpong native codes(exploit.c and pingpong.c c function) in my native part of the application.
When I run my application, I can not get the root access. I trace my application and my codes and find that the ioctl does not return 1 and only return -1 which is not good.

What is the problem and how can I resolve that? Can anyone help me Please?

Thanks.

I use device SM-G9200 (LRX22G.G9200ZCU1AOD9) execute run_root_shell .
device auto reboot when pingpone exploit . fail root, the log as follows:

Device detected: SM-G9200 (LRX22G.G9200ZCU1AOD9)

Try to find address in memory...
Attempt msm_cameraconfig exploit...
Detected kernel physical address at 0x40008000 from iomem

Attempt fb_mem exploit...
Detected kernel physical address at 0x40008000 from iomem
You need to manage to get remap_pfn_range address.

Try copying kernel memory... It will take a long time.
Attempt pingpong exploit...

then it's reboot. failed root

Please put a demo video.

Device detected: HUAWEI G700-T00 (G700-T00 V100R001CHNC01B138)

Try to find address in memory...
Attempt msm_cameraconfig exploit...
Detected kernel physical address at 0x80008000 form iomem

Attempt fb_mem exploit...
Detected kernel physical address at 0x80008000 form iomem
Segmentation fault

Guys, hello

I'd like to root [https://www.fmworld.net/product/phone/f-02f/spec.html?fmwfrom=f-02f_index](F 02F).
As far as I understand, the android_run_root_shell does not support it at the moment. I wanted to ask how difficult would it be to add the support of this model? I mean, I know some programming and given some guidance, I would be happy to add the support myself.

Best,
Alex

I follows the instruction in README.

when I run ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk

I got the error message from make

[armeabi] Compile thumb  : run_root_shell <= main.c
./main.c:14:29: fatal error: device_database.h: No such file or directory
 #include "device_database.h"
                             ^
compilation terminated.
/is/ws/android-ndk-r11c/build/core/build-binary.mk:460: recipe for target '/root/src/android_run_root_shell/obj/local/armeabi/objs/run_root_shell/main.o' failed
make: *** [/root/src/android_run_root_shell/obj/local/armeabi/objs/run_root_shell/main.o] Error 1

I'm sure TARGET_C_INCLUDES defined in Android.mk doesn't work properly.
The actual build command is

/is/ws/android-ndk-r11c/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin/arm-linux-androideabi-gcc -MMD -MP -MF /root/src/android_run_root_shell/obj/local/armeabi/objs/run_root_shell/main.o.d -fpic -ffunction-sections -funwind-tables -fstack-protector-strong -no-canonical-prefixes -march=armv5te -mtune=xscale -msoft-float -mthumb -Os -g -DNDEBUG -fomit-frame-pointer -fno-strict-aliasing -finline-limit=64 -I. -DANDROID  -Wa,--noexecstack -Wformat -Werror=format-security    -isystem /is/ws/android-ndk-r11c/platforms/android-9/arch-arm/usr/include -c  ./main.c -o /root/src/android_run_root_shell/obj/local/armeabi/objs/run_root_shell/main.o

The device_database include directory option is missing.

I don't know why and how to resolve the problem.

I wonder which NDK version was used to build.

root@kali:~/Desktop/android_run_root_shell# ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk
[armeabi] Compile thumb : run_root_shell <= cred.c
In file included from ./cred.c:5:0:
./mm.h:23:32: fatal error: libexploit/exploit.h: No such file or directory
#include <libexploit/exploit.h>
^
compilation terminated.
make: *** [obj/local/armeabi/objs/run_root_shell/cred.o] Error 1
//////////////////////////////////////////////////////////
why this ? my ndk=ndk-10e
my ndk path
export PATH=$PATH:/root/Desktop/android-ndk-r10e

galaxy 5 32bit not worked
galaxy 6 64bit not worked.
how can i get root shell...

I know, it's kinda old model from Docomo but still there's no support even for temporary root. I own F-01F for several years and there was one major upgrade. So, now the recent firmware is based on Android 4.4.2, build # V10R22A (kernel version 3.4.0). For this model I'm ready to do all the necessary procedures related to root obtainment.

If I understand clearly I need to run android_get_essential_address to get specific memory addresses, which later would be added to the device database. Is that correct?

BTW, 2ch boards contain the addresses for the previous firmware:

FJT21

prepare_kernel_cred = 0xc01b7b0c
commit_creds = 0xc01b75e4
remap_pfn_range = 0xc0235978
perf_swevent_enabled = 0xc111ff18
ptmx_fops = 0xc112eeb4

security_remap_pfn_range = 0xc0347908
vmalloc_exec = 0xc0242278

remap_pfn_range_end_op = 0xc0fed714

I wonder if they work for V10R22A.

hi ... i test it in my xperia neo and genymotion nexus 4 and an error happened:
/system/bin/sh: run_root_shell: not found

hi a gain ... :))
in line 164 in perf_event.c we have a while ...
why you choose minimum of (value, PERF_SWEVENT_MAX_FILE)?
and then you value -= PERF_SWEVENT_MAX_FILE every time?
value is the address of commit_creds(prepare_kernel_cred(0)) .right?
so why you Subtract it from PERF_SWEVENT_MAX_FILE?
thanks a lot for helping

When building, all the files get compiled (of course with some tweaking). But, the linker gives this error:

./obj/local/arm64-v8a/libexploit.a(mmap.o): In function `mmap':
/root/Dev/android_run_root_shell/libexploit/mmap.c:55: undefined reference to `__mmap2'
clang++: error: linker command failed with exit code 1 (use -v to see invocation)

Not sure if this is still being actively maintained but why not add the Dirty Cow exploit that will allow most android devices with a vulnerable kernel to get root