Docomo Fujitsu Arrows NX F-01F support? about android_run_root_shell HOT 30 CLOSED

These tools are not work for F-01F build V10R22A. It is enabled PXN even if it is 32bit kernel.
If you want to execute exploit code, it is needed to use JOP code or something, not like these tools.

from android_run_root_shell.

@fi01
OMG, such a hardcore protection for the old phone without both SE and HCE! Well, it seems I won't overcome that with my knowledge of Android OS. But if I downgrade to older builds, will it be possible to use your tools?

from android_run_root_shell.

I think we can run exploit by pingpong with some parameter customization on build V33R64B. But I never heard that it was possible to downgrade.

from android_run_root_shell.

@fi01
Well, I see that I cannot downgrade due to the absence of public firmwares. I wonder if iovyroot is suitable for this task as it's dealing with JOP code somehow. Still searching for another ready-to-go rootkits but a little has been found for now.

from android_run_root_shell.

Just out of my curiosity I've ran a few vulnerability test apps. They showed that F-01F is vulnerable to these flaws:
CVE-2015-1474 (GraphicBuffer integer overflow)
CVE-2015-1538 #2, #3, #4 (libstagefright: "ctts"/"stts"/"stss" MP4 atom integer overflow remote code execution)
CVE-2015-3829 (libstagefright: "covr" MP4 atom integer overflow remote code execution)
CVE-2015-3864 (libstagefright: MP4 atom integer underflow remote code execution)
CVE-2015-6602 (libstagefright: libutils MP3/MP4 remote code execution)
CVE-2015-3825 -> CVE-2015-3837 (memory corruption in OpenSSLX509Certificate deserialization -> remote code execution)
CVE-2015-3636 (the famous pingpong bug)
CVE-2015-6608 (mediaserver remote code execution)
CVE-2015-1528 (integer overflow in the native_handle_create function)
CVE-2015-6616 (mediaserver remote code execution)

+ new Qualcomm vulns (obtained with QuadRooter):
CVE-2016-2059 (gain privileges by using msm_ipc_router_bind_control_port function)
CVE-2016-2504 (gain privileges via crafted app)
CVE-2016-2503 (gain privileges via crafted app)
CVE-2016-5340 (bypass some restrictions by using is_ashmem_file function)

I think, all those StageFright vulnerabilities are of no real use for root gain 'cause it's hard to apply them. For the others I checked out the web and the result is not so good. The rest doesn't even have working code for Android to compile and test. Among them CVE-2015-3636 is widely known and well studied. It seems to me it might be possible to run it on F-01F. I tried that on your pingpong PoC and the result gives some hope.

C:\adb>adb push poc data/local/tmp
poc: 1 file pushed. 1.9 MB/s (68492 bytes in 0.034s)

C:\adb>adb shell
shell@F01F:/ $ cd data/local/tmp
shell@F01F:/data/local/tmp $ chmod 755 poc
shell@F01F:/data/local/tmp $ ./poc
Creating target socket................... OK
16 + 65000 sockets created
20971520 bytes allocated
Done!
C:\adb>

But after this 'Done!' string the phone reboots and of course there's no root... I have tried another forks of this PoC. Some of them display 'Terminated' instead and throw me back to adb shell. The phone doesn't reboot but no root also.
Is this code able to defeat PXN at all?..

from android_run_root_shell.

You have no chance without JOP. It will need kernel memory dump or boot image.

from android_run_root_shell.

@fi01
In the mean time I have tried all available exploits for those CVEs, hoping they'd allow me to pull out boot.img. Sadly I had no success, because they all require specific memory addresses to work properly. I couldn't debug phone's memory without root.

But I've found something interesting. Maybe you heard of last year's finding on RowHammer attack... Here's the article for that. And this one is more detailed. I checked F-01F with the test tool Drammer and it showed that my device is vulnerable. After spending some time for the search I have found the PoC, which's demonstrated here. After all, it appears that this PoC was written expecially for LG Nexus 5 (Android 6.0.1), so it works incorrectly on another devices. It cannot finish and reports various errors. Well, it's private thing also. But I can send it to you if you're interested in this. Maybe, it could help in writing new exploit based on RH attack.

Btw, you could check out these test apps (32-bit ready) to see, if the device is vulnerable:
http://vvdveen.com/drammer/drammer.apk
http://vvdveen.com/drammer/rh-test
http://vvdveen.com/drammer/drammer
There's a source on GitHub also.

from android_run_root_shell.

It seems, that "very secret" exploit gave me some basic root priv's, so I managed to pull out my boot.img and kallsyms from the phone. But still any other things are locked and SELinux is on. So I started to adapt iovyroot to do the final task. Currently I'm stuck at finding correct joploc / jopret and selinux_enforcing. Maybe you with your great experience in rooting could look at my kernel and kallsyms and point me to the way to go. :) My dumps are here: dosomder/iovyroot#48

from android_run_root_shell.

About 3 monthes ago I dumped boot image, and I confirmed that iovyroot's jop method is not enough for F-01F. Because ptmx fops is in text section, you can not modify fsync callback address and there is nothing to kick jop code by fsync.

from android_run_root_shell.

Can I do something with it, having root (id=0)? There should be a way to disable SELinux. Maybe, even something easy like that.

from android_run_root_shell.

@fi01
Well, browsing some xda threads I've got an idea of getting hardware root by unsoldering emmc, altering its content and soldering it back. I think, it should work but it's kinda tricky and expensive. Now I know what to do to get the basic root priv's. But what can I do to disable (or maybe completely rip out) that fjsec security? I mean, is it possible to tweak some files in the system to remove it or put into an inactive state?..

I could dump the whole system or the necessary partitions/files if it helps.

from android_run_root_shell.

I can root it with some tool..

from android_run_root_shell.

@ttlover201212

I can root it with some tool..

Do you know how to disable fjsec LSM after that?

from android_run_root_shell.

Sorry bro,I do not know.
I find that I can only root 4.22 but not 4.42..
Do you know how to temporary root it ?

from android_run_root_shell.

@ttlover201212
I have the exploit which is able to gain root privileges. But I can't disable fjsec and can't mount /system as read-write. So, these root privileges are useless. The only one thing I can do - read various files and do the dumps.

I'm still trying to find a way to full-root 4.4.2 firmware.

By the way, fjsec may be also active on 4.2.2 firmwares (I'm kinda unsure but it seems to be so). To disable it you need to use Backdoor mmap tools by fi01. You will need to compile unlock_lsm_fjsec and unlock_mount_fjsec and run on your device after you got root priv's. I don't know if those sources should be adapted to your task or not, it's better to ask fi01.

from android_run_root_shell.

How to gaim root privileges?I want to have a try on my fj01f ?Can you give me the source code for rooting ?

from android_run_root_shell.

iovyroot？？？

from android_run_root_shell.

@ttlover201212
It's private. Please, could you explain what you're planning to do when you get root? Do you have enough experience with Android and Linux kernel, files, commands etc.?
If you don't know how to override PXN and disable LSM then root is of no use to you.

from android_run_root_shell.

I know it's private,but I will apprecitate you if you give me some help!
if I can get the root privileges,then I can do some further research.
Because one of my friends works in a root team.

from android_run_root_shell.

if you do not want to share the sourcecode ,please tell me which direction shoud I spend more time to work.Iovy root???

from android_run_root_shell.

@ttlover201212
As fi01 already said iovyroot won't work for 4.4.2.
Do you have email or something to contact?

from android_run_root_shell.

This is my email:[email protected]

from android_run_root_shell.

how to root fujitsu f01f ?

from android_run_root_shell.

@komodo28
If you're on Android 4.2.2 JellyBean (build # V32R63C), look for Dianxinos Superuser or KingRoot. If you're on Android 4.4.2 (build # V10R22A) - no way currently.

from android_run_root_shell.

Android 4.4.2 (build # V10R22A)

from android_run_root_shell.

hi, i'm not expert at this, currently i have my f10f in Jellybean, is there any way to upgrade it to kitkat or even at least marshmallow? thx

from android_run_root_shell.

@cinubu11
For KitKat upgrade you have to send the phone to Japan. That's the only way. Sadly, there are no way to upgrade to Lollipop, Marshmallow, Nougat, Oreo or Android P, because such updates were not released by Docomo.

from android_run_root_shell.

@fi01
Just let you to know... I have tried HW rooting, but got no success with it. Here are the details: https://forum.xda-developers.com/showpost.php?p=77277502&postcount=7
So now the only hope is the software methods. Btw I wonder how to do SIM unlock, having root rights. Any ideas?

from android_run_root_shell.

anyone can help?
how to flashing fujitsu f-01f ?
i can't boot EDL mode

from android_run_root_shell.

This issue is closed, because F-01F (V10R22A) is rooted now using CVE-2017-8890 exp: https://github.com/dadreamer/CVE-2017-8890. I adapted the exp from thinkycx with some tricky ROP chain to overcome fjsec protection. The LSM and SELinux are still in place after the system restart, so it's a subject for bootloader unlocking and the system modification, but no progress is made for that yet.

from android_run_root_shell.