Eris Root Explots/Methods Tried.....For anyone to poke through...


Last Updated:

  1. acidbath5546

    acidbath5546 Well-Known Member This Topic's Starter

    Joined:
    Jan 7, 2010
    Messages:
    575
    Likes Received:
    342
    I took a Hiatus/Leave from the now Semi-Defunked Eris Root Dev Team.
    XDA became a flamer zone, and I decided to move on to bigger and better things [​IMG]
    Just in case anyone out there is looking to work more on Root/Exploits, here is a bunch of tried and failed info/links [​IMG]

    A lot of people are New and want to learn, This is AWESOME!
    So if you are new and want learn a bit more and maybe Root or Cook you own ROM down the road here is some ideas :)

    What really helped me was downloading an ubuntu enviornment and messing around with that.
    Head over to XDA and check out the old G1 and Hero ROM/Root Threads.

    This site was great for me starting:
    KernelHacking - Linux Kernel Newbies

    I would say start here:
    CompleteNewbiesClickHere - Linux Kernel Newbies


    Known Exploits for our Eris!
    Exploits for Eris

    Feel free to edit and publish more you've found!

    http://downloads.securityfocus.com/v...oits/36901-2.c - Nindoja simpler exploit

    Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability

    http://downloads.securityfocus.com/v...oits/36901-1.c
    http://xorl.wordpress.com/2010/01/14...se-after-free/ - FASYNC; Will work after removing at_random (At_random doesn't exist on Eris)


    Rooting Status/Methods:

    HTC Released out Kernel Code for our Eris! see here:
    HTC - Developer Center

    We should use this Format (thanks Videofolife13)

    Tried: milw0rm/exploits/8478
    Worked (y/n): no
    Why?: Does not effect this Kernel Version.

    Tried: asroot2
    Worked (y/n): no
    Why?: Hole was more than likely patched.

    Tried: Flashrec
    Worked (y/n): No
    Why?: See above

    Tried: Renaming a rom UPDATE.ZIP / PB001ZIP
    Worked (y/n): no
    Why?: Roms are signed by HTC. We can't sign our own

    Tried: Linux Kernel 2.6 UDEV Local Privilege Escalation Exploit
    Worked (y/n): no
    Why?: I don't know. May be something to look further into.

    Tried: current->clear_child_tid pointer http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-2848
    Worked (y/n): ?
    Why?: Never followed up

    Tried: Buffer over run open ports
    Worked (y/n): ?
    Why?: Suggested by Jmanly, but documentation for an exploit that could work was never found.

    Tried: Editing recovery.zip that goes right into the Ruu
    Worked (y/n): no
    Why?: This was trying to use the RUU to our advantage and write a custom recovery image to the phone through it. It didn't work because the modified roms failed a signature check.

    Tried: Buffers/Editing Recovery/Running Different Recoveries.
    Worked (y/n): no
    Why?: just didnt want too..would not patch/run successfully

    Tried:
    Linux Kernel 'drivers/scsi/gdth.c' Local Privilege Escalation Vulnerability Here is some more info on it. Problem Description: Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel: Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request. (CVE-2009-3080).

    Result:
    SCSI support hasn't been compiled in for our device

    Tried:
    Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability

    Result:
    This exploit is better known in the Android community as "asroot2".
    Vulnerable Devices:
    Hero
    Patched Devices:
    Droid Eris (Desire)

    Tried:
    Linux Kernel 2.4 and 2.6 Local Information Disclosure Vulnerability
    Result:
    Just a local information disclosure bug; definitely the cocoon of a vulnerability, but not a vulnerability in itself.

    Tried:
    Linux Kernel 'fasync_helper()' Local Privilege Escalation Vulnerability
    Result:
    Turns out our device was not vulnerable.

    Tried:
    Linux Kernel 'ebtables' Security Bypass Vulnerability
    Result:
    Just a vulnerability against etables, a firewall and internet traffic filtering software.

    Tried:
    Replacing the stock imgs in the google SDK with that we have gotten from the eris to adb pull files.
    Result:
    All of what the RUU does can be found in the same place as "rom.zip" after it has been loaded. XDA has a tutorial, I don't remember where just somewhere in %APPDATA%/Temp. The "fastboot oem" commands only work in oem-78 mode (or w/e it is). We still can't push unsigned zip's here though, tried and failed.

    Name: udev priveledge escalation
    Known Exploits:
    Linux Kernel 2.6 UDEV Local Privilege Escalation Exploit
    Linux Kernel 2.6 UDEV < 141 Local Privilege Escalation Exploit
    Tried: #8572: Compiles but doesnt do anything. Turns out android doesnt use udev apparently, so this won't work.

    Name: pipe.c bug (aka asroot2)
    Known Exploits:
    Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability (there are 4 different implementations here)
    Tried: Already been tried before as mentioned on the xda forums, turns out Eris kernel has a patch

    Name: sock_sendpage() / ip_append_data()
    Known Exploits: there are a tonne of Implementations for this one on milw0rm, the two that may apply to eris I believe are:
    Linux Kernel 2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)
    Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit (ppc) (this one might only apply to SElinux)

    Tried: I am trying to get 9479 to compile still, and some of the implementations mention use of pulseaudio, which I am not sure is available on Eris

    Tried: reflash using mtty
    Failed : only works for Windows Mobile
     

    Advertisement
    flspnr and trav473 like this.
  2. Thats

    Thats That guy is This VIP Member

    Joined:
    Feb 19, 2010
    Messages:
    1,169
    Likes Received:
    383
    Does this mean that you have given up on rooting the Eris Acidbath?
     
  3. acidbath5546

    acidbath5546 Well-Known Member This Topic's Starter

    Joined:
    Jan 7, 2010
    Messages:
    575
    Likes Received:
    342
    I am only speaking for Myself, but yeah, I have been working on a Nexus 1 ROM for a friend of mine, and hoefully myself when Verizon gets it :)
     
  4. Thats

    Thats That guy is This VIP Member

    Joined:
    Feb 19, 2010
    Messages:
    1,169
    Likes Received:
    383
    Well shit. That bites. :(
     
  5. charklos

    charklos Well-Known Member

    Joined:
    Jan 23, 2010
    Messages:
    88
    Likes Received:
    9
    But hey, thanks for all the info and websited Acid!! You are a gentleman and a scholar. (ps let me know whats up with the nexus one ROM, I'm gettin it when big red lets it out of the bag too :p) :D
     
  6. andrew8806

    andrew8806 Well-Known Member

    Joined:
    Dec 29, 2009
    Messages:
    139
    Likes Received:
    7
    No worries... we have devs still working on getting this thing rooted and not ones who give up... :p ... We will update androidforums and xda as soon as we get updates...
     
  7. acidbath5546

    acidbath5546 Well-Known Member This Topic's Starter

    Joined:
    Jan 7, 2010
    Messages:
    575
    Likes Received:
    342
    edit myself and taking the high road
     
  8. SoCalSpecialist

    SoCalSpecialist Well-Known Member

    Joined:
    Dec 19, 2009
    Messages:
    69
    Likes Received:
    4
    smart move!

    u make me so proud :p
     
  9. acidbath5546

    acidbath5546 Well-Known Member This Topic's Starter

    Joined:
    Jan 7, 2010
    Messages:
    575
    Likes Received:
    342
    LOL...Socal you almost made coffee come out my nose...LMAO
     

Share This Page

Loading...