I took a Hiatus/Leave from the now Semi-Defunked Eris Root Dev Team.
XDA became a flamer zone, and I decided to move on to bigger and better things
Just in case anyone out there is looking to work more on Root/Exploits, here is a bunch of tried and failed info/links
A lot of people are New and want to learn, This is AWESOME!
So if you are new and want learn a bit more and maybe Root or Cook you own ROM down the road here is some ideas
What really helped me was downloading an ubuntu enviornment and messing around with that.
Head over to XDA and check out the old G1 and Hero ROM/Root Threads.
This site was great for me starting:
KernelHacking - Linux Kernel Newbies
I would say start here:
CompleteNewbiesClickHere - Linux Kernel Newbies
Known Exploits for our Eris!
Exploits for Eris
Feel free to edit and publish more you've found!
http://downloads.securityfocus.com/v...oits/36901-2.c - Nindoja simpler exploit
Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability
http://downloads.securityfocus.com/v...oits/36901-1.c
http://xorl.wordpress.com/2010/01/14...se-after-free/ - FASYNC; Will work after removing at_random (At_random doesn't exist on Eris)
Rooting Status/Methods:
HTC Released out Kernel Code for our Eris! see here:
HTC - Developer Center
We should use this Format (thanks Videofolife13)
Tried: milw0rm/exploits/8478
Worked (y/n): no
Why?: Does not effect this Kernel Version.
Tried: asroot2
Worked (y/n): no
Why?: Hole was more than likely patched.
Tried: Flashrec
Worked (y/n): No
Why?: See above
Tried: Renaming a rom UPDATE.ZIP / PB001ZIP
Worked (y/n): no
Why?: Roms are signed by HTC. We can't sign our own
Tried: Linux Kernel 2.6 UDEV Local Privilege Escalation Exploit
Worked (y/n): no
Why?: I don't know. May be something to look further into.
Tried: current->clear_child_tid pointer http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-2848
Worked (y/n): ?
Why?: Never followed up
Tried: Buffer over run open ports
Worked (y/n): ?
Why?: Suggested by Jmanly, but documentation for an exploit that could work was never found.
Tried: Editing recovery.zip that goes right into the Ruu
Worked (y/n): no
Why?: This was trying to use the RUU to our advantage and write a custom recovery image to the phone through it. It didn't work because the modified roms failed a signature check.
Tried: Buffers/Editing Recovery/Running Different Recoveries.
Worked (y/n): no
Why?: just didnt want too..would not patch/run successfully
Tried:
Linux Kernel 'drivers/scsi/gdth.c' Local Privilege Escalation Vulnerability Here is some more info on it. Problem Description: Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel: Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request. (CVE-2009-3080).
Result:
SCSI support hasn't been compiled in for our device
Tried:
Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability
Result:
This exploit is better known in the Android community as "asroot2".
Vulnerable Devices:
Hero
Patched Devices:
Droid Eris (Desire)
Tried:
Linux Kernel 2.4 and 2.6 Local Information Disclosure Vulnerability
Result:
Just a local information disclosure bug; definitely the cocoon of a vulnerability, but not a vulnerability in itself.
Tried:
Linux Kernel 'fasync_helper()' Local Privilege Escalation Vulnerability
Result:
Turns out our device was not vulnerable.
Tried:
Linux Kernel 'ebtables' Security Bypass Vulnerability
Result:
Just a vulnerability against etables, a firewall and internet traffic filtering software.
Tried:
Replacing the stock imgs in the google SDK with that we have gotten from the eris to adb pull files.
Result:
All of what the RUU does can be found in the same place as "rom.zip" after it has been loaded. XDA has a tutorial, I don't remember where just somewhere in %APPDATA%/Temp. The "fastboot oem" commands only work in oem-78 mode (or w/e it is). We still can't push unsigned zip's here though, tried and failed.
Name: udev priveledge escalation
Known Exploits:
Linux Kernel 2.6 UDEV Local Privilege Escalation Exploit
Linux Kernel 2.6 UDEV < 141 Local Privilege Escalation Exploit
Tried: #8572: Compiles but doesnt do anything. Turns out android doesnt use udev apparently, so this won't work.
Name: pipe.c bug (aka asroot2)
Known Exploits:
Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability (there are 4 different implementations here)
Tried: Already been tried before as mentioned on the xda forums, turns out Eris kernel has a patch
Name: sock_sendpage() / ip_append_data()
Known Exploits: there are a tonne of Implementations for this one on milw0rm, the two that may apply to eris I believe are:
Linux Kernel 2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)
Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit (ppc) (this one might only apply to SElinux)
Tried: I am trying to get 9479 to compile still, and some of the implementations mention use of pulseaudio, which I am not sure is available on Eris
Tried: reflash using mtty
Failed : only works for Windows Mobile
XDA became a flamer zone, and I decided to move on to bigger and better things
Just in case anyone out there is looking to work more on Root/Exploits, here is a bunch of tried and failed info/links
A lot of people are New and want to learn, This is AWESOME!
So if you are new and want learn a bit more and maybe Root or Cook you own ROM down the road here is some ideas
What really helped me was downloading an ubuntu enviornment and messing around with that.
Head over to XDA and check out the old G1 and Hero ROM/Root Threads.
This site was great for me starting:
KernelHacking - Linux Kernel Newbies
I would say start here:
CompleteNewbiesClickHere - Linux Kernel Newbies
Known Exploits for our Eris!
Exploits for Eris
Feel free to edit and publish more you've found!
http://downloads.securityfocus.com/v...oits/36901-2.c - Nindoja simpler exploit
Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability
http://downloads.securityfocus.com/v...oits/36901-1.c
http://xorl.wordpress.com/2010/01/14...se-after-free/ - FASYNC; Will work after removing at_random (At_random doesn't exist on Eris)
Rooting Status/Methods:
HTC Released out Kernel Code for our Eris! see here:
HTC - Developer Center
We should use this Format (thanks Videofolife13)
Tried: milw0rm/exploits/8478
Worked (y/n): no
Why?: Does not effect this Kernel Version.
Tried: asroot2
Worked (y/n): no
Why?: Hole was more than likely patched.
Tried: Flashrec
Worked (y/n): No
Why?: See above
Tried: Renaming a rom UPDATE.ZIP / PB001ZIP
Worked (y/n): no
Why?: Roms are signed by HTC. We can't sign our own
Tried: Linux Kernel 2.6 UDEV Local Privilege Escalation Exploit
Worked (y/n): no
Why?: I don't know. May be something to look further into.
Tried: current->clear_child_tid pointer http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-2848
Worked (y/n): ?
Why?: Never followed up
Tried: Buffer over run open ports
Worked (y/n): ?
Why?: Suggested by Jmanly, but documentation for an exploit that could work was never found.
Tried: Editing recovery.zip that goes right into the Ruu
Worked (y/n): no
Why?: This was trying to use the RUU to our advantage and write a custom recovery image to the phone through it. It didn't work because the modified roms failed a signature check.
Tried: Buffers/Editing Recovery/Running Different Recoveries.
Worked (y/n): no
Why?: just didnt want too..would not patch/run successfully
Tried:
Linux Kernel 'drivers/scsi/gdth.c' Local Privilege Escalation Vulnerability Here is some more info on it. Problem Description: Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel: Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request. (CVE-2009-3080).
Result:
SCSI support hasn't been compiled in for our device
Tried:
Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability
Result:
This exploit is better known in the Android community as "asroot2".
Vulnerable Devices:
Hero
Patched Devices:
Droid Eris (Desire)
Tried:
Linux Kernel 2.4 and 2.6 Local Information Disclosure Vulnerability
Result:
Just a local information disclosure bug; definitely the cocoon of a vulnerability, but not a vulnerability in itself.
Tried:
Linux Kernel 'fasync_helper()' Local Privilege Escalation Vulnerability
Result:
Turns out our device was not vulnerable.
Tried:
Linux Kernel 'ebtables' Security Bypass Vulnerability
Result:
Just a vulnerability against etables, a firewall and internet traffic filtering software.
Tried:
Replacing the stock imgs in the google SDK with that we have gotten from the eris to adb pull files.
Result:
All of what the RUU does can be found in the same place as "rom.zip" after it has been loaded. XDA has a tutorial, I don't remember where just somewhere in %APPDATA%/Temp. The "fastboot oem" commands only work in oem-78 mode (or w/e it is). We still can't push unsigned zip's here though, tried and failed.
Name: udev priveledge escalation
Known Exploits:
Linux Kernel 2.6 UDEV Local Privilege Escalation Exploit
Linux Kernel 2.6 UDEV < 141 Local Privilege Escalation Exploit
Tried: #8572: Compiles but doesnt do anything. Turns out android doesnt use udev apparently, so this won't work.
Name: pipe.c bug (aka asroot2)
Known Exploits:
Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability (there are 4 different implementations here)
Tried: Already been tried before as mentioned on the xda forums, turns out Eris kernel has a patch
Name: sock_sendpage() / ip_append_data()
Known Exploits: there are a tonne of Implementations for this one on milw0rm, the two that may apply to eris I believe are:
Linux Kernel 2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)
Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit (ppc) (this one might only apply to SElinux)
Tried: I am trying to get 9479 to compile still, and some of the implementations mention use of pulseaudio, which I am not sure is available on Eris
Tried: reflash using mtty
Failed : only works for Windows Mobile