绝客BLog
#海贝r5# 海贝 R5 root 方法
所有需要的文件在这里下载 :
https://drive.google.com/file/d/1zuWKjypaVkfKrhaI3nQa2891kYdRR3HQ/view?usp=sharing
0. 主要思路:海贝 R5 官方没有解锁 bootloader 的办法,只能另辟蹊径。幸运的是,R5 采用的是 aosp 8.0 系统,内核版本信息为 Linux localhost 3.18.71-perf,这个版本的内核有 cve-2019-2215 提权漏洞可以利用。在使用漏洞进行提权后,提取 boot 分区,并使用 magisk 进行 patch 后刷回,实现 root。
请注意,本教程需要大量的命令行操作,误操作很容易变砖,官方也没有提供刷机包,搞不好就会返厂,操作前请三思。
1. 使用提权漏洞获得临时root权限:首先使用 adb 将 su98 和 su98k 两个可执行文件下载到设备上。请解压后,在当前目录打开终端或者 powershell(或者自行调整命令的路径,以下不再解释路径的问题)。并执行:
adb push ./su98 /data/local/tmp
adb push ./su98k /data/local/tmp
然后我们需要授予可执行权限,使用 adb shell 进行的操作以>开头:
adb shell
> cd /data/local/tmp
> chmod 775 *
授权后,先运行su98:
> ./su98
以下是运行时的提示,可能不尽相同,运行结束后看见 # 符号便成功获得伪root
R5:/data/local/tmp $ ./su98
MAIN: detected kernel version 3
MAIN: starting exploit for devices with waitqueue at 0x98
PARENT: soon will be calling WRITEV
CHILD: Doing EPOLL_CTL_DEL.
CHILD: Finished EPOLL_CTL_DEL.
CHILD: initial portion length 0x12000
CHILD: task_struct_ptr = 0xffffffc032d93fc0
CHILD: clobbering with extra leak structures
PARENT: clobbering at 0xffffffc0431202a0
CHILD: Doing EPOLL_CTL_DEL.
CHILD: Finished EPOLL_CTL_DEL.
PARENT: readv returns 69688, expected 69688
PARENT: clobbering test passed
CHILD: clobbered
PARENT: writev() returns 0x13008
PARENT: Reading leaked data
CHILD: task_struct_ptr = 0xffffffc015d30000
CHILD: Finished write to FIFO.
CHILD: wrote 69688
PARENT: leaking successful
MAIN: thread_info should be in stack
MAIN: parsing kernel stack to find thread_info
PARENT: soon will be calling WRITEV
CHILD: Doing EPOLL_CTL_DEL.
CHILD: Finished EPOLL_CTL_DEL.
CHILD: initial portion length 0x12000
CHILD: task_struct_ptr = 0xffffffc032d93fc0
CHILD: clobbering with extra leak structures
PARENT: clobbering at 0xffffffc043120ea0
CHILD: Doing EPOLL_CTL_DEL.
CHILD: Finished EPOLL_CTL_DEL.
PARENT: readv returns 69688, expected 69688
PARENT: clobbering test passed
CHILD: clobbered
CHILD: extra leak
PARENT: writev() returns 0x17008
PARENT: Reading leaked data
CHILD: Finished write to FIFO.
PARENT: Reading extra leaked data
PARENT: leaking successful
MAIN: task_struct_ptr = ffffffc032d93fc0
MAIN: thread_info_ptr = ffffffc015d30000
MAIN: Clobbering addr_limit
PARENT: clobbering at 0xffffffc015d30008
CHILD: Doing EPOLL_CTL_DEL.
CHILD: Finished EPOLL_CTL_DEL.
CHILD: wrote 69648
PARENT: readv returns 69648, expected 69648
PARENT: clobbering test passed
MAIN: thread_info = 0xffffffc015d30000
MAIN: should have stable kernel R/W now
MAIN: searching for cred offset in task_struct
MAIN: search_base = ffffffc000000000
MAIN: searching for selinux_enforcing
MAIN: searching for kallsyms format strings
MAIN: **partial failure** cannnot fix kallsyms format string
MAIN: searching for kallsyms table
MAIN: kallsyms names start at 0xffffffc000f5a900 and have 129536 entries
MAIN: kallsyms names end at 0xffffffc001057900
MAIN: direct search didn't work, so searching via avc_denied
MAIN: searching for kallsyms format strings
MAIN: **partial failure** cannnot fix kallsyms format string
MAIN: searching for kallsyms table
MAIN: setting root credentials with cred offset 670
MAIN: UID = 0
MAIN: enabling capabilities
MAIN: SECCOMP status 0
MAIN: **FAIL** did not find selinux_enforcing symbol
MAIN: re-joining init mount namespace
MAIN: rejoining init net namespace
MAIN: root privileges ready
MAIN: popping out root shell
R5:/data/local/tmp #
此后我们在伪root环境下运行su98k以干掉selinux,实现完整的提权:
> ./su98k
以下是运行后的提示:
R5:/data/local/tmp # ./su98k
MAIN: detected kernel version 3
MAIN: starting exploit for devices with waitqueue at 0x98
PARENT: soon will be calling WRITEV
CHILD: Doing EPOLL_CTL_DEL.
CHILD: Finished EPOLL_CTL_DEL.
CHILD: initial portion length 0x12000
CHILD: task_struct_ptr = 0x0
PARENT: writev() returns 0x13008
PARENT: Reading leaked data
CHILD: task_struct_ptr = 0x0
CHILD: Finished write to FIFO.
CHILD: **fail** problematic address pointer, e.g., 0
MAIN: **fail** retrying
PARENT: soon will be calling WRITEV
CHILD: Doing EPOLL_CTL_DEL.
CHILD: Finished EPOLL_CTL_DEL.
CHILD: initial portion length 0x12000
CHILD: task_struct_ptr = 0xffffffc032d94c80
CHILD: clobbering with extra leak structures
PARENT: clobbering at 0xffffffc0331d0ca0
CHILD: Doing EPOLL_CTL_DEL.
CHILD: Finished EPOLL_CTL_DEL.
PARENT: readv returns 69688, expected 69688
PARENT: clobbering test passed
CHILD: clobbered
PARENT: writev() returns 0x13008
PARENT: Reading leaked data
CHILD: task_struct_ptr = 0xffffffc015cac000
CHILD: Finished write to FIFO.
CHILD: wrote 69688
PARENT: leaking successful
MAIN: took 1 tries but did it
MAIN: task_struct_ptr = ffffffc032d94c80
MAIN: stack = ffffffc015cac000
MAIN: Clobbering addr_limit
PARENT: clobbering at 0xffffffc015cac008
CHILD: Doing EPOLL_CTL_DEL.
CHILD: Finished EPOLL_CTL_DEL.
PARENT: readv returns 69648, expected 69648
PARENT: **fail** clobber value doesn't match: is 0 but should be abcddeadbeef1234
MAIN: **fail** retrying
PARENT: clobbering at 0xffffffc015cac008
CHILD: wrote 69648
CHILD: Doing EPOLL_CTL_DEL.
CHILD: Finished EPOLL_CTL_DEL.
PARENT: readv returns 69648, expected 69648
PARENT: clobbering test passed
MAIN: took 1 tries but did it
MAIN: thread_info = 0xffffffc015cac000
MAIN: should have stable kernel R/W now
MAIN: searching for cred offset in task_struct
MAIN: search_base = ffffffc000000000
MAIN: searching for selinux_enforcing
MAIN: searching for kallsyms table
CHILD: wrote 69648
MAIN: kallsyms names start at 0xffffffc000f5a900 and have 129536 entries
MAIN: kallsyms names end at 0xffffffc001057900
found symbol in kernel memory
MAIN: setting root credentials with cred offset 670
MAIN: UID = 0
MAIN: enabling capabilities
MAIN: SECCOMP status 0
MAIN: disabled selinux enforcing
MAIN: root privileges ready
MAIN: popping out root shell
R5:/data/local/tmp #
此时我们获得了完整的root权限,下面进行boot分区的提取
2.提取boot: 我们使用dd工具进行提取和刷入boot.img,使用以下命令提取 boot 到内部存储卡
> dd if=/dev/block/bootdevice/by-name/boot of=/sdcard/boot.img
以下是运行后的提示:
131072+0 records in
131072+0 records out
67108864 bytes transferred in 2.666 secs (25172117 bytes/sec)
3.给boot.img 打patch:安装magisk并打开,选择安装,修补boot。修补成功的boot.img 在 /sdcard/Download 文件夹下,名称类似于 magisk_patched-25202_z83aT.img
注意不要拔除数据线,不小心拔了就重新进行第一步
4.使用 dd 把修补好的 boot.img 刷回去,请根据自己生成的文件修改下面if的路径:
> dd if=/sdcard/Download/magisk_patched-25202_z83aT.img of=/dev/block/bootdevice/by-name/boot
完成后重启设备,完成root。
请注意,root后无法进行ota,就算通过zygisk绕过检测,在recovery安装过程也会报错。要恢复ota请刷回原版boot。
