Root Root for Fierce 2?

[skinlab]

I understand bro. I want root myself. Unfortunately I lack the skills to do it on my own. All we can do is wait and hope we get root soon.

 

[hakujin]

I understand bro. I want root myself. Unfortunately I lack the skills to do it on my own. All we can do is wait and hope we get root soon.

It's a great phone with or without. I'm content despite that this phone won't be rooted. Good segway until 3rd Gen Moto G is released.

 

[skinlab]

Didn't see that one coming from a mile away, haha!


If you think that, I have a bridge to sell you. The state of being 'ungrateful' would imply there was something of value presented, lmfao


It's the nature of the internet.

Alright alright... I missed that.

 

[skinlab]

It's a great phone with or without. I'm content despite that this phone won't be rooted. Good segway until 3rd Gen Moto G is released.

I ordered this: www.coolicool.com/iocean-m6752-3g-ram-mtk6752-17ghz-octa-core-55-inch-ips-ogs-fhd-screen-android-44-4g-lte-smartpho-g-36582

My son is getting this phone when I get mine. I'm still going to be active here because I would like root and to see the potential of this phone.

 

[hakujin]

I ordered this: www.coolicool.com/iocean-m6752-3g-ram-mtk6752-17ghz-octa-core-55-inch-ips-ogs-fhd-screen-android-44-4g-lte-smartpho-g-36582

My son is getting this phone when I get mine. I'm still going to be active here because I would like root and to see the potential of this phone.

interesting. I've never had a chinese branded phone. I suppose Lollipop is out of the question, but seems really nice spec wise for that price.

I'll probably still go w/ the Moto G 3 just for name brand notoriety tho. I'd like root too (which is why I'm here, to see if it happened), just care a lot less now than before and don't think it will happen on the 7040; higher likelihood on the zmax, and only 99.99 AR.

 

[cmendonc2]

So I downloaded the src files from the sourceforge project and I was going to compile them and see if I can get a kernel, but there were mediatek files. I thought we had a qualcomm snapdragon? The source files are for the Alcatel pop c7, which has a completely different SoC than the fierce 2.

From the manual, it says that we can request the source code for the fierce 2 and alcatel is bound to release "within a period of three years." So we may or may not ever get that...


Edit:
The build files show that the device is codename "yaris_xl" confirmed to be the Alcatel POP C7/6582.

 

[skinlab]

It's definitely a Snapdragon SoC in the fierce 2.

 

[Blackhawk1969]

you would think that a phone capable of doing a nand backup would be quite valuable to most people I don't understand the phone companies thoughts on keeping these things unrooted maybe they're just afraid we're going to find ways of avoiding their data limits.

 

[Lkain17]

Didn't see that one coming from a mile away, haha!


If you think that, I have a bridge to sell you. The state of being 'ungrateful' would imply there was something of value presented, lmfao


It's the nature of the internet.

i still think he can do it

 

[skinlab]

interesting. I've never had a chinese branded phone. I suppose Lollipop is out of the question, but seems really nice spec wise for that price.

I'll probably still go w/ the Moto G 3 just for name brand notoriety tho. I'd like root too (which is why I'm here, to see if it happened), just care a lot less now than before and don't think it will happen on the 7040; higher likelihood on the zmax, and only 99.99 AR.

Your Alcatel Fierce 2 you have is actually a Chinese phone. Made by TCL.

 

[derpy01]

Your Alcatel Fierce 2 you have is actually a Chinese phone. Made by TCL.

And re branded by Alcatel because that's what quite a few off brand companies like Alcatel do, which I find stupid

 

[apvm]

Alcatel mobile phones is owned by TCL http://en.wikipedia.org/wiki/Alcatel_Mobile_Phones Alcatel sold its shares to TCL

 

[Deleted User]

guys, 1st of all i want to say sorry for being inactive for a while(School), and zxz0O0 wants stock kernel image, he says kallsyms is invalid, idk how were going to get it, Any ideas?

 

[bakageta]

Well, I picked one of these up as a toy since I got a steal on it, so I'll throw my hat into the working on root thing. We need a specific set of offsets for the exploit giefroot uses, but this isn't my first rodeo for reverse engineering, so I'll try to keep things updated with realistic expectations as I work on it.

I need a device with wifi calling for one of my lines, but I can't use a phone without root, so over the next week, this is my top priority.

 

[derpy01]

Alcatel mobile phones is owned by TCL http://en.wikipedia.org/wiki/Alcatel_Mobile_Phones Alcatel sold its shares to TCL

Didn't know that, good to know

 

[bakageta]

guys, 1st of all i want to say sorry for being inactive for a while(School), and zxz0O0 wants stock kernel image, he says kallsyms is invalid, idk how were going to get it, Any ideas?

You likely sent him a kallsyms with all addresses listed as zeroes, which is worthless. The echo command that disables hiding addresses here can only be ran as root. Since obviously no one has a rooted Fierce 2 right now, no one can dump a useful kallsyms. Likewise, without root we can't dump the boot.img to extract the kernel. I haven't intercepted the update to see if it contains a new kernel, but with its small size I doubt it. If anyone has intercepted the update (router logs / etc), post it up and save me the effort.

We don't get an easy way out on this. I'll be building an exploit from retme7's PoC (and scoty755's fork) as a base, and attempting to find the address for our device through a traditional ROP attack. Giefroot and similar are the end result of this kind of attack, CVE-2014-4322 overflows a buffer to write our desired code to a given address then returns to that address (to shortly sum it up). Without useful dumps we can't currently get, this is something that can't be done without the device, so short of walking one of us through it, I wouldn't expect outside help.

A good portion of the work is already done, our return address just has to be found. In the end if I have any luck, I'll package it up with Keen Team's exploit, as it seems reliable and there's no need to reinvent the wheel.

Anyone who's familiar with this type of thing and has put some time into it should certainly post their WIP, or at least drop me a message if you have work you want kept private. There's no reason to repeat the same work.

 

[skinlab]

You likely sent him a kallsyms with all addresses listed as zeroes, which is worthless. The echo command that disables hiding addresses here can only be ran as root. Since obviously no one has a rooted Fierce 2 right now, no one can dump a useful kallsyms. Likewise, without root we can't dump the boot.img to extract the kernel. I haven't intercepted the update to see if it contains a new kernel, but with its small size I doubt it. If anyone has intercepted the update (router logs / etc), post it up and save me the effort.

We don't get an easy way out on this. I'll be building an exploit from retme7's PoC (and scoty755's fork) as a base, and attempting to find the address for our device through a traditional ROP attack. Giefroot and similar are the end result of this kind of attack, CVE-2014-4322 overflows a buffer to write our desired code to a given address then returns to that address (to shortly sum it up). Without useful dumps we can't currently get, this is something that can't be done without the device, so short of walking one of us through it, I wouldn't expect outside help.

A good portion of the work is already done, our return address just has to be found. In the end if I have any luck, I'll package it up with Keen Team's exploit, as it seems reliable and there's no need to reinvent the wheel.

Anyone who's familiar with this type of thing and has put some time into it should certainly post their WIP, or at least drop me a message if you have work you want kept private. There's no reason to repeat the same work.

That's awesome bro. You sound like you are about to get shit done. Thanks.

 

[Deleted User]

You likely sent him a kallsyms with all addresses listed as zeroes, which is worthless. The echo command that disables hiding addresses here can only be ran as root. Since obviously no one has a rooted Fierce 2 right now, no one can dump a useful kallsyms. Likewise, without root we can't dump the boot.img to extract the kernel. I haven't intercepted the update to see if it contains a new kernel, but with its small size I doubt it. If anyone has intercepted the update (router logs / etc), post it up and save me the effort.

We don't get an easy way out on this. I'll be building an exploit from retme7's PoC (and scoty755's fork) as a base, and attempting to find the address for our device through a traditional ROP attack. Giefroot and similar are the end result of this kind of attack, CVE-2014-4322 overflows a buffer to write our desired code to a given address then returns to that address (to shortly sum it up). Without useful dumps we can't currently get, this is something that can't be done without the device, so short of walking one of us through it, I wouldn't expect outside help.

A good portion of the work is already done, our return address just has to be found. In the end if I have any luck, I'll package it up with Keen Team's exploit, as it seems reliable and there's no need to reinvent the wheel.

Anyone who's familiar with this type of thing and has put some time into it should certainly post their WIP, or at least drop me a message if you have work you want kept private. There's no reason to repeat the same work.

I actually did, and without root, no valid kallsyms, we have to find the kernel and the update won't help, if you do need help building an exploit, im in.

 

[bakageta]

I mostly want the update zip to see if it patches the qseecom driver, which is what we're going to use to move from system to root.

 

[4vrbrk]

So I had my brother root my Alcatel and he did it somehow. So its possible... but just came to post that I take back my offer.

 

[bakageta]

If he rooted it, save us some work and dump a couple files. From a terminal on the phone (or an ADB shell), run these commands.

su
echo 0 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms > /data/local/tmp/kallsyms
cp /data/local/tmp/kallsyms /sdcard/kallsyms
dd if=/dev/block/mmcblk0p7 of=/data/local/tmp/boot.img
dd if=/dev/block/mmcblk0p29 of=/data/local/tmp/recovery.img
cp /data/local/tmp/*.img /sdcard/
​

Then upload boot.img, recovery.img, and kallsyms.

 

[derpy01]

Let's hope for more good news



And some files

 

[faust4456]

So I had my brother root my Alcatel and he did it somehow. So its possible... but just came to post that I take back my offer.

Can you have you brother explain how he did it? Because I'd love to finally get this thing rooted.

 

[hakujin]

So I had my brother root my Alcatel and he did it somehow. So its possible... but just came to post that I take back my offer.

No he didn't. You and the other are two shades of pathetic.

i still think he can do it

LMFAO

 

[Blackhawk1969]

oh that's cool your brother rooted your phone I have a pet chimpanzee and I came home and he was playing with my phone and somehow he rooted it but when I asked him how he did it all he did was a bunch of sign language unfortunately I don't read sign language
lol and the JK but seriously if your brother rooted your phonethat's awesome are you sure he didn't just unlock it so you can use a different carrier?