1. Check out our app, Forums for Android! Download and leave feedback here!

Root Eris Root Explots/Methods Tried.....For anyone to poke through...

Discussion in 'Android Devices' started by acidbath5546, Mar 4, 2010.

  1. acidbath5546

    acidbath5546 Well-Known Member
    Thread Starter
    113

    I took a Hiatus/Leave from the now Semi-Defunked Eris Root Dev Team.
    XDA became a flamer zone, and I decided to move on to bigger and better things [​IMG]
    Just in case anyone out there is looking to work more on Root/Exploits, here is a bunch of tried and failed info/links [​IMG]

    A lot of people are New and want to learn, This is AWESOME!
    So if you are new and want learn a bit more and maybe Root or Cook you own ROM down the road here is some ideas :)

    What really helped me was downloading an ubuntu enviornment and messing around with that.
    Head over to XDA and check out the old G1 and Hero ROM/Root Threads.

    This site was great for me starting:
    KernelHacking - Linux Kernel Newbies

    I would say start here:
    CompleteNewbiesClickHere - Linux Kernel Newbies


    Known Exploits for our Eris!
    Exploits for Eris

    Feel free to edit and publish more you've found!

    http://downloads.securityfocus.com/v...oits/36901-2.c - Nindoja simpler exploit

    Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability

    http://downloads.securityfocus.com/v...oits/36901-1.c
    http://xorl.wordpress.com/2010/01/14...se-after-free/ - FASYNC; Will work after removing at_random (At_random doesn't exist on Eris)


    Rooting Status/Methods:

    HTC Released out Kernel Code for our Eris! see here:
    HTC - Developer Center

    We should use this Format (thanks Videofolife13)

    Tried: milw0rm/exploits/8478
    Worked (y/n): no
    Why?: Does not effect this Kernel Version.

    Tried: asroot2
    Worked (y/n): no
    Why?: Hole was more than likely patched.

    Tried: Flashrec
    Worked (y/n): No
    Why?: See above

    Tried: Renaming a rom UPDATE.ZIP / PB001ZIP
    Worked (y/n): no
    Why?: Roms are signed by HTC. We can't sign our own

    Tried: Linux Kernel 2.6 UDEV Local Privilege Escalation Exploit
    Worked (y/n): no
    Why?: I don't know. May be something to look further into.

    Tried: current->clear_child_tid pointer http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-2848
    Worked (y/n): ?
    Why?: Never followed up

    Tried: Buffer over run open ports
    Worked (y/n): ?
    Why?: Suggested by Jmanly, but documentation for an exploit that could work was never found.

    Tried: Editing recovery.zip that goes right into the Ruu
    Worked (y/n): no
    Why?: This was trying to use the RUU to our advantage and write a custom recovery image to the phone through it. It didn't work because the modified roms failed a signature check.

    Tried: Buffers/Editing Recovery/Running Different Recoveries.
    Worked (y/n): no
    Why?: just didnt want too..would not patch/run successfully

    Tried:
    Linux Kernel 'drivers/scsi/gdth.c' Local Privilege Escalation Vulnerability Here is some more info on it. Problem Description: Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel: Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request. (CVE-2009-3080).

    Result:
    SCSI support hasn't been compiled in for our device

    Tried:
    Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability

    Result:
    This exploit is better known in the Android community as "asroot2".
    Vulnerable Devices:
    Hero
    Patched Devices:
    Droid Eris (Desire)

    Tried:
    Linux Kernel 2.4 and 2.6 Local Information Disclosure Vulnerability
    Result:
    Just a local information disclosure bug; definitely the cocoon of a vulnerability, but not a vulnerability in itself.

    Tried:
    Linux Kernel 'fasync_helper()' Local Privilege Escalation Vulnerability
    Result:
    Turns out our device was not vulnerable.

    Tried:
    Linux Kernel 'ebtables' Security Bypass Vulnerability
    Result:
    Just a vulnerability against etables, a firewall and internet traffic filtering software.

    Tried:
    Replacing the stock imgs in the google SDK with that we have gotten from the eris to adb pull files.
    Result:
    All of what the RUU does can be found in the same place as "rom.zip" after it has been loaded. XDA has a tutorial, I don't remember where just somewhere in %APPDATA%/Temp. The "fastboot oem" commands only work in oem-78 mode (or w/e it is). We still can't push unsigned zip's here though, tried and failed.

    Name: udev priveledge escalation
    Known Exploits:
    Linux Kernel 2.6 UDEV Local Privilege Escalation Exploit
    Linux Kernel 2.6 UDEV < 141 Local Privilege Escalation Exploit
    Tried: #8572: Compiles but doesnt do anything. Turns out android doesnt use udev apparently, so this won't work.

    Name: pipe.c bug (aka asroot2)
    Known Exploits:
    Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability (there are 4 different implementations here)
    Tried: Already been tried before as mentioned on the xda forums, turns out Eris kernel has a patch

    Name: sock_sendpage() / ip_append_data()
    Known Exploits: there are a tonne of Implementations for this one on milw0rm, the two that may apply to eris I believe are:
    Linux Kernel 2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)
    Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit (ppc) (this one might only apply to SElinux)

    Tried: I am trying to get 9479 to compile still, and some of the implementations mention use of pulseaudio, which I am not sure is available on Eris

    Tried: reflash using mtty
    Failed : only works for Windows Mobile
     

    Advertisement

    flspnr and trav473 like this.
  2. Thats

    Thats That guy is This
    183

    Feb 19, 2010
    1,169
    383
    183
    Male
    Air Force
    Fargo, ND
    Does this mean that you have given up on rooting the Eris Acidbath?
     
  3. acidbath5546

    acidbath5546 Well-Known Member
    Thread Starter
    113

    I am only speaking for Myself, but yeah, I have been working on a Nexus 1 ROM for a friend of mine, and hoefully myself when Verizon gets it :)
     
  4. Thats

    Thats That guy is This
    183

    Feb 19, 2010
    1,169
    383
    183
    Male
    Air Force
    Fargo, ND
    Well shit. That bites. :(
     
  5. charklos

    charklos Well-Known Member
    16

    Jan 23, 2010
    88
    9
    16
    But hey, thanks for all the info and websited Acid!! You are a gentleman and a scholar. (ps let me know whats up with the nexus one ROM, I'm gettin it when big red lets it out of the bag too :p) :D
     
  6. andrew8806

    andrew8806 Well-Known Member
    36

    Dec 29, 2009
    139
    7
    36
    HDA - Pepsico
    Dallas, Texas
    No worries... we have devs still working on getting this thing rooted and not ones who give up... :p ... We will update androidforums and xda as soon as we get updates...
     
  7. acidbath5546

    acidbath5546 Well-Known Member
    Thread Starter
    113

    edit myself and taking the high road
     
  8. SoCalSpecialist

    SoCalSpecialist Well-Known Member
    36

    Dec 19, 2009
    69
    4
    36
    Advertising / Marketing
    San Diego
    smart move!

    u make me so proud :p
     
  9. acidbath5546

    acidbath5546 Well-Known Member
    Thread Starter
    113

    LOL...Socal you almost made coffee come out my nose...LMAO
     

Share This Page

Loading...