Difference between revisions of "Revue software root"

From Exploitee.rs
Jump to navigationJump to search
Line 5: Line 5:
== WARNING ==
== WARNING ==
The links on this page contain the until now unreleased Revue root.  This is being released as a way to allow the more skilled members of the community to look at. The root is incredibly unstable and we are providing it unpackaged to prevent it from being used by someone who may end up damaging their box.  As bliss described it, “it is like punching the device in the face while telling it that it’s not getting hit”.  If you are looking to get root to help achieve some form of optimal Android experience from the box, then please wait for a better packaged version with persistence. If you are technically savy and are willing to risk damaging your box, gambling on how skilled you are, then feel free to give it a shot. Please note that you are likely to brick your device much like we have bricked ours many times (but we have fancy-pants hardware recovery mechanisms).
The links on this page contain the until now unreleased Revue root.  This is being released as a way to allow the more skilled members of the community to look at. The root is incredibly unstable and we are providing it unpackaged to prevent it from being used by someone who may end up damaging their box.  As bliss described it, “it is like punching the device in the face while telling it that it’s not getting hit”.  If you are looking to get root to help achieve some form of optimal Android experience from the box, then please wait for a better packaged version with persistence. If you are technically savy and are willing to risk damaging your box, gambling on how skilled you are, then feel free to give it a shot. Please note that you are likely to brick your device much like we have bricked ours many times (but we have fancy-pants hardware recovery mechanisms).
==About==


===About nandpwn===
===About nandpwn===
Coming Soon.
Coming Soon.
===Exploit Flow===
*Use /dev/devmem to map NAND controller's hardware registers into address space
*Leverage kernel info leak to resolve virtual address of current process' kernel stack
*Write to hardware registers to trigger DMA on top of offset from base of kernel stack
*Since addr_limit is raised (hopefully), can read()/write() to write/read arbitrary kernel memory
*Fixup sysenter_return, overwrite restart_block function pointer to point to payload
*Trigger function pointer to escalate privileges and win!


===About codesign===
===About codesign===
Line 15: Line 25:
Coming Soon.
Coming Soon.


==Work In Progress==
===Hurdles===
===Hurdles===
*ADBD designed to never run as root.
*ADBD designed to never run as root.
Line 24: Line 35:
This is unstable and should be seen as more of a POC (Proof of concept) than a public release. This exploit makes the box unstable and is not persistent between boots (which means you will have to run this each time you start the device). We are working on fixing this but are having to jump through quite a few hurdles because of the signed partitions. We will update this page with progress when/if we come up with a work around.
This is unstable and should be seen as more of a POC (Proof of concept) than a public release. This exploit makes the box unstable and is not persistent between boots (which means you will have to run this each time you start the device). We are working on fixing this but are having to jump through quite a few hurdles because of the signed partitions. We will update this page with progress when/if we come up with a work around.


==Exploiting==
===Required Tools===
===Required Tools===
*ADB (Android Debug Bridge)
*ADB (Android Debug Bridge)

Revision as of 07:50, 4 August 2012

Nandpwn.png


WARNING

The links on this page contain the until now unreleased Revue root. This is being released as a way to allow the more skilled members of the community to look at. The root is incredibly unstable and we are providing it unpackaged to prevent it from being used by someone who may end up damaging their box. As bliss described it, “it is like punching the device in the face while telling it that it’s not getting hit”. If you are looking to get root to help achieve some form of optimal Android experience from the box, then please wait for a better packaged version with persistence. If you are technically savy and are willing to risk damaging your box, gambling on how skilled you are, then feel free to give it a shot. Please note that you are likely to brick your device much like we have bricked ours many times (but we have fancy-pants hardware recovery mechanisms).

About

About nandpwn

Coming Soon.

Exploit Flow

  • Use /dev/devmem to map NAND controller's hardware registers into address space
  • Leverage kernel info leak to resolve virtual address of current process' kernel stack
  • Write to hardware registers to trigger DMA on top of offset from base of kernel stack
  • Since addr_limit is raised (hopefully), can read()/write() to write/read arbitrary kernel memory
  • Fixup sysenter_return, overwrite restart_block function pointer to point to payload
  • Trigger function pointer to escalate privileges and win!

About codesign

Coming Soon.

About blockwrite

Coming Soon.

Work In Progress

Hurdles

  • ADBD designed to never run as root.
  • Signed /system, /boot, kernel, recovery, bootloader
  • nosuid /cache, /data, /sdcard
  • nodev /cache, /data, /sdcard

Bugs

This is unstable and should be seen as more of a POC (Proof of concept) than a public release. This exploit makes the box unstable and is not persistent between boots (which means you will have to run this each time you start the device). We are working on fixing this but are having to jump through quite a few hurdles because of the signed partitions. We will update this page with progress when/if we come up with a work around.

Exploiting

Required Tools

  • ADB (Android Debug Bridge)
  • x86 Compiler

Building the code

We are not posting how to build the code as if you are unable to build an x86 binary you probably shouldn't be attempting this root in the first place.

Download

NandPwn