海贝R5 root 方法:理论上适用于其他Android 8.0的播放器

绝客博客 浏览966

#海贝r5# 海贝 R5 root 方法

所有需要的文件在这里下载 :

https://drive.google.com/file/d/1zuWKjypaVkfKrhaI3nQa2891kYdRR3HQ/view?usp=sharing 

0. 主要思路:海贝 R5 官方没有解锁 bootloader 的办法,只能另辟蹊径。幸运的是,R5 采用的是 aosp 8.0 系统,内核版本信息为 Linux localhost 3.18.71-perf,这个版本的内核有 cve-2019-2215 提权漏洞可以利用。在使用漏洞进行提权后,提取 boot 分区,并使用 magisk 进行 patch 后刷回,实现 root。

image.png

请注意,本教程需要大量的命令行操作,误操作很容易变砖,官方也没有提供刷机包,搞不好就会返厂,操作前请三思。

1. 使用提权漏洞获得临时root权限:首先使用 adb 将 su98 和 su98k 两个可执行文件下载到设备上。请解压后,在当前目录打开终端或者 powershell(或者自行调整命令的路径,以下不再解释路径的问题)。并执行:

adb push ./su98 /data/local/tmp

adb push ./su98k /data/local/tmp

然后我们需要授予可执行权限,使用 adb shell 进行的操作以>开头:

adb shell

> cd /data/local/tmp

> chmod 775 *

授权后,先运行su98:

> ./su98


以下是运行时的提示,可能不尽相同,运行结束后看见 # 符号便成功获得伪root


R5:/data/local/tmp $ ./su98

MAIN: detected kernel version 3

MAIN: starting exploit for devices with waitqueue at 0x98

PARENT: soon will be calling WRITEV

CHILD: Doing EPOLL_CTL_DEL.

CHILD: Finished EPOLL_CTL_DEL.

CHILD: initial portion length 0x12000

CHILD: task_struct_ptr = 0xffffffc032d93fc0

CHILD: clobbering with extra leak structures

PARENT: clobbering at 0xffffffc0431202a0

CHILD: Doing EPOLL_CTL_DEL.

CHILD: Finished EPOLL_CTL_DEL.

PARENT: readv returns 69688, expected 69688

PARENT: clobbering test passed

CHILD: clobbered

PARENT: writev() returns 0x13008

PARENT: Reading leaked data

CHILD: task_struct_ptr = 0xffffffc015d30000

CHILD: Finished write to FIFO.

CHILD: wrote 69688

PARENT: leaking successful

MAIN: thread_info should be in stack

MAIN: parsing kernel stack to find thread_info

PARENT: soon will be calling WRITEV

CHILD: Doing EPOLL_CTL_DEL.

CHILD: Finished EPOLL_CTL_DEL.

CHILD: initial portion length 0x12000

CHILD: task_struct_ptr = 0xffffffc032d93fc0

CHILD: clobbering with extra leak structures

PARENT: clobbering at 0xffffffc043120ea0

CHILD: Doing EPOLL_CTL_DEL.

CHILD: Finished EPOLL_CTL_DEL.

PARENT: readv returns 69688, expected 69688

PARENT: clobbering test passed

CHILD: clobbered

CHILD: extra leak

PARENT: writev() returns 0x17008

PARENT: Reading leaked data

CHILD: Finished write to FIFO.

PARENT: Reading extra leaked data

PARENT: leaking successful

MAIN: task_struct_ptr = ffffffc032d93fc0

MAIN: thread_info_ptr = ffffffc015d30000

MAIN: Clobbering addr_limit

PARENT: clobbering at 0xffffffc015d30008

CHILD: Doing EPOLL_CTL_DEL.

CHILD: Finished EPOLL_CTL_DEL.

CHILD: wrote 69648

PARENT: readv returns 69648, expected 69648

PARENT: clobbering test passed

MAIN: thread_info = 0xffffffc015d30000

MAIN: should have stable kernel R/W now

MAIN: searching for cred offset in task_struct

MAIN: search_base = ffffffc000000000

MAIN: searching for selinux_enforcing

MAIN: searching for kallsyms format strings

MAIN: **partial failure** cannnot fix kallsyms format string

MAIN: searching for kallsyms table

MAIN: kallsyms names start at 0xffffffc000f5a900 and have 129536 entries

MAIN: kallsyms names end at 0xffffffc001057900

MAIN: direct search didn't work, so searching via avc_denied

MAIN: searching for kallsyms format strings

MAIN: **partial failure** cannnot fix kallsyms format string

MAIN: searching for kallsyms table

MAIN: setting root credentials with cred offset 670

MAIN: UID = 0

MAIN: enabling capabilities

MAIN: SECCOMP status 0

MAIN: **FAIL** did not find selinux_enforcing symbol

MAIN: re-joining init mount namespace

MAIN: rejoining init net namespace

MAIN: root privileges ready

MAIN: popping out root shell

R5:/data/local/tmp #


此后我们在伪root环境下运行su98k以干掉selinux,实现完整的提权:

> ./su98k


以下是运行后的提示:

R5:/data/local/tmp # ./su98k

MAIN: detected kernel version 3

MAIN: starting exploit for devices with waitqueue at 0x98

PARENT: soon will be calling WRITEV

CHILD: Doing EPOLL_CTL_DEL.

CHILD: Finished EPOLL_CTL_DEL.

CHILD: initial portion length 0x12000

CHILD: task_struct_ptr = 0x0

PARENT: writev() returns 0x13008

PARENT: Reading leaked data

CHILD: task_struct_ptr = 0x0

CHILD: Finished write to FIFO.

CHILD: **fail** problematic address pointer, e.g., 0

MAIN: **fail** retrying

PARENT: soon will be calling WRITEV

CHILD: Doing EPOLL_CTL_DEL.

CHILD: Finished EPOLL_CTL_DEL.

CHILD: initial portion length 0x12000

CHILD: task_struct_ptr = 0xffffffc032d94c80

CHILD: clobbering with extra leak structures

PARENT: clobbering at 0xffffffc0331d0ca0

CHILD: Doing EPOLL_CTL_DEL.

CHILD: Finished EPOLL_CTL_DEL.

PARENT: readv returns 69688, expected 69688

PARENT: clobbering test passed

CHILD: clobbered

PARENT: writev() returns 0x13008

PARENT: Reading leaked data

CHILD: task_struct_ptr = 0xffffffc015cac000

CHILD: Finished write to FIFO.

CHILD: wrote 69688

PARENT: leaking successful

MAIN: took 1 tries but did it

MAIN: task_struct_ptr = ffffffc032d94c80

MAIN: stack = ffffffc015cac000

MAIN: Clobbering addr_limit

PARENT: clobbering at 0xffffffc015cac008

CHILD: Doing EPOLL_CTL_DEL.

CHILD: Finished EPOLL_CTL_DEL.

PARENT: readv returns 69648, expected 69648

PARENT: **fail** clobber value doesn't match: is 0 but should be abcddeadbeef1234

MAIN: **fail** retrying

PARENT: clobbering at 0xffffffc015cac008

CHILD: wrote 69648

CHILD: Doing EPOLL_CTL_DEL.

CHILD: Finished EPOLL_CTL_DEL.

PARENT: readv returns 69648, expected 69648

PARENT: clobbering test passed

MAIN: took 1 tries but did it

MAIN: thread_info = 0xffffffc015cac000

MAIN: should have stable kernel R/W now

MAIN: searching for cred offset in task_struct

MAIN: search_base = ffffffc000000000

MAIN: searching for selinux_enforcing

MAIN: searching for kallsyms table

CHILD: wrote 69648

MAIN: kallsyms names start at 0xffffffc000f5a900 and have 129536 entries

MAIN: kallsyms names end at 0xffffffc001057900

found symbol in kernel memory

MAIN: setting root credentials with cred offset 670

MAIN: UID = 0

MAIN: enabling capabilities

MAIN: SECCOMP status 0

MAIN: disabled selinux enforcing

MAIN: root privileges ready

MAIN: popping out root shell

R5:/data/local/tmp #


此时我们获得了完整的root权限,下面进行boot分区的提取

2.提取boot: 我们使用dd工具进行提取和刷入boot.img,使用以下命令提取 boot 到内部存储卡

> dd if=/dev/block/bootdevice/by-name/boot of=/sdcard/boot.img

以下是运行后的提示:

131072+0 records in

131072+0 records out

67108864 bytes transferred in 2.666 secs (25172117 bytes/sec)

3.给boot.img 打patch:安装magisk并打开,选择安装,修补boot。修补成功的boot.img 在 /sdcard/Download 文件夹下,名称类似于 magisk_patched-25202_z83aT.img

注意不要拔除数据线,不小心拔了就重新进行第一步

4.使用 dd 把修补好的 boot.img 刷回去,请根据自己生成的文件修改下面if的路径:

> dd if=/sdcard/Download/magisk_patched-25202_z83aT.img of=/dev/block/bootdevice/by-name/boot

完成后重启设备,完成root。

请注意,root后无法进行ota,就算通过zygisk绕过检测,在recovery安装过程也会报错。要恢复ota请刷回原版boot。

image.png

 End 

分享