https://www.xda-developers.com/dirty-pipe-root-demo-samsung-galaxy-s22-google-pixel-6-pro/
March 15, 2022 7:40am Comment Skanda Hazarika
PSA: Dirty Pipe, the Linux kernel root vulnerability, can be abused on the Samsung Galaxy S22 and Google Pixel 6 Pro
What happens when a Linux privilege-escalation vulnerability that also affects Android gets disclosed publicly? You got it! Security researchers and Android enthusiasts around the world try to take advantage of the newly found problem to create an exploit, which can be used to gain advanced access to your device (such as root or the ability to flash custom images). On the other hand, device makers and a few determined third-party developers quickly take the responsibility to patch the backdoor as soon as possible.
This is exactly what happened to CVE-2022-0847, a vulnerability dubbed “Dirty Pipe” in Linux kernel version 5.8 and later. We talked about the exploit in detail last week but didn’t explicitly cover the potential abusing scenarios on Android. Now, XDA Member Fire30 has demonstrated an exploit implementation around the kernel flaw that can give the attacker a root shell on the Samsung Galaxy S22 and the Google Pixel 6 Pro.
The key point here is that you don’t need any kind of unlocking or other trickery to make it work – the Dirty Pipe exploit allows the attacker to gain root-level access on the target device through a reverse shell via a specially crafted rogue app. At the time of writing, flagships like the Google Pixel 6 Pro and the Samsung Galaxy S22 are vulnerable to the attack vector even on their latest software releases, which shows the exploit’s potential. Since it can also set SELinux to permissive, there is virtually no hurdle against unauthorized control over the device.
From the perspective of the Android modding scene, Dirty Pipe might be useful to gain temporary root access on otherwise difficult-to-root Android smartphones, e.g., some regional Snapdragon variants of the Samsung Galaxy flagships. However, the window won’t last long as the vulnerability has already been patched in the mainline Linux kernel, and OEMs will probably roll out the fix as part of the upcoming monthly security updates. Nonetheless, stay away from installing apps from random sources for the time being to protect yourself. In the meantime, we expect that Google will push an update to the Play Protect to prevent the vulnerability from being exploited via rogue apps.
Source: Fire30 on Twitter
Via: Mishaal Rahman
Click to expand...
Click to collapse
This isn't necessarily bad news if the exploit is used non-maliciously. Could be beneficial for Verizon customers looking for a way to gain root.
westhaking said:
This isn't necessarily bad news if the exploit is used non-maliciously. Could be beneficial for Verizon customers looking for a way to gain root.
Click to expand...
Click to collapse
Could, yes. I'll remain pessimistic that it'll actually happen, and of course, it'll take someone willing to actually do the work. A very limited time to do it doesn't help unless someone with a spare Verizon device keeps it off the network/internet until something is implemented.
westhaking said:
This isn't necessarily bad news if the exploit is used non-maliciously. Could be beneficial for Verizon customers looking for a way to gain root.
Click to expand...
Click to collapse
I was just reading about this & that exact thought came to mind. The root access gained seems to be temporary, but if you can write to usually read only file system, could you not theoretically write a Magisk boot image (using dd, or in Magisk Manager itself?) or even toggle the OEM unlock switch via a SU shell command unlock the phone?
I'm not very well versed on how the mechanics behind OEM unlock switch in developer settings works & or how Verizon locks these phones down (UK based), but I would assume that it could be useful to help find a exploit for phones running any pre-April 22 update.
Edit: from my limited knowledge, can you not sideload a earlier OTA on Verizon devices? I know you could do so with Pixel 3 and earlier, but I haven't been following it too closely with later devices.
DanielF50 said:
or even toggle the OEM unlock switch via a SU shell command unlock the phone?
Click to expand...
Click to collapse
I've never heard of a shell command that could toggle the OEM unlock. That doesn't mean it hasn't existed, but I doubt it, otherwise, I would think on all the Verizon devices I used to have, and just root threads in general I should remember anyone making the suggestion, even if it required temporary root first.
DanielF50 said:
Edit: from my limited knowledge, can you not sideload a earlier OTA on Verizon devices? I know you could do so with Pixel 3 and earlier, but I haven't been following it too closely with later devices.
Click to expand...
Click to collapse
I was under the impression that all phones with the bootloader locked that you could never, ever downgrade via any method. Also, OTAs generally use deltas/differencing to patch known good files of version A to version B, and B to C, so applying a version B OTA to a device that's on version C would fail because the files on the device are the wrong version.
Like (let version A be represented with the value 1, B with 4, and C with 9):
Device is on version B, so "4".
OTA to go from B to C comes.
OTA says is device file "4"?
Yes! Add 5 to the file, it's now "9".
and then
Device is on version C, so "9".
Try to put the B to C OTA on the device.
OTA says is device file "4"?
No! It's "9", quit OTA process.
This might be simplified, and anyone correct me if I'm wrong, but this has definitely been the case some and I believe almost all, if not all, the time. The OTA files can be smaller that way because they don't contain replacement files. They only contain what the difference is between the old file and the new, which is usually much smaller than the entire file.
Related
Arent the S5 for verizon and the note 4 very similar? Similar software, both with locked bootloaders etc. How is it possible that, the S5 can get root access but we're stuck?
Samsung and Google have long since patched those exploits used to obtain root. Thus, we're waiting for someone to find and use a new exploit or alternative rooting vector.
dilness said:
Arent the S5 for verizon and the note 4 very similar? Similar software, both with locked bootloaders etc. How is it possible that, the S5 can get root access but we're stuck?
Click to expand...
Click to collapse
There was a change in the linux kernel. If you look at the TowerlRoot website, it mentions that the root method should work on all Android devices prior to June 3, 2014. I remember that when towlroot was released, geohot mentioned that a friend of his actually found the linux exploit. This gives me hope as whatever exploits exist that would allow us to root the N4, would/should exist across all recent Android devices. So, if an exploit is found for another device, it'll hopefully work for the N4 as well and vice versa. Time will tell.
From the TR thread:
Read back in the thread a few pages - 1) GeoHot works for Google now. Hired to find and close exploits like the one towelroot used to root devices; 2) towelroot used a specific vulnerability in kernels dated before June 3. If your kernel is dated after June 3, the vulnerability has been patched and there is nothing GeoHot can "fix" to make towelroot work on your device; and related to that 3) either your phone has the vulnerability or it doesn't and towelroot either works to root your device or it doesn't and there is nothing GeoHot can do to fix towelroot to make it work for your device. Plus, like I said before GeoHot works for Google now so he can't create programs or apps that root phones by exploiting vulnerabilities he is supposed to now be fixing. Now that this same question has been answered for the 1,000,000th time in this thread, can we please get it closed?
Click to expand...
Click to collapse
And this is the reason GeoHot will not be updating TR to work with newer phones. Google hired a top notch team to find exploits and notify software makers of the exploit before found by someone with malicious intentions. It's kinda funny, they've probably already found exploits we could use to root our phones. Fortunately, even if they have, patches take awhile.
Fight the system!!!
I recently came across this article and its content intrigued me greatly. There is a "QuadRooter" exploit for devices using Qualcom chipsets. Maybe we can finally have root access on our beloved Note 4.
Article: http://www.androidcentral.com/quadrooter-5-things-know-about-latest-android-security-scare
Oh lord......it is some good news.
Sent from my SAMSUNG-SM-N910A using Tapatalk
xateeq said:
I recently came across this article and its content intrigued me greatly. There is a "QuadRooter" exploit for devices using Qualcom chipsets. Maybe we can finally have root access on our beloved Note 4.
Article: http://www.androidcentral.com/quadrooter-5-things-know-about-latest-android-security-scare
Click to expand...
Click to collapse
Sorry to break hopes an dreams... Exploits isn't the problem. We already have exploits to root. These exploits are just another way.
The problem is the locker bootloader and the kernel having DM-Verity. Once the system obtains root. The kernel reads that we have root which is DM-Verity than it removes root from the system. Which is why we only have a Temp root when we use Kingroot on 4.4.4 kitkat and 5.1.1 lollipop. This is why no developer wasted there time creating an app for root because we know it will only be temp.
There is no exploit for DM-Verity. Only way around it is with an unlocked bootloader, install a custom kernel with DM-Verity disabled. Now come Android 7.0 Nougat, verified boot (know as DM-Verity) will be "strictly enforcing" and won't allow your device to boot if the software has been compromised.
Sent from my SAMSUNG-SM-N910A using Tapatalk
nemopsp said:
Sorry to break hopes an dreams... Exploits isn't the problem. We already have exploits to root. These exploits are just another way.
The problem is the locker bootloader and the kernel having DM-Verity. Once the system obtains root. The kernel reads that we have root which is DM-Verity than it removes root from the system. Which is why we only have a Temp root when we use Kingroot on 4.4.4 kitkat and 5.1.1 lollipop. This is why no developer wasted there time creating an app for root because we know it will only be temp.
There is no exploit for DM-Verity. Only way around it is with an unlocked bootloader, install a custom kernel with DM-Verity disabled. Now come Android 7.0 Nougat, verified boot (know as DM-Verity) will be "strictly enforcing" and won't allow your device to boot if the software has been compromised.
Click to expand...
Click to collapse
Okay, so Android will become more like iOS on Nougat and onwards? No way I'm sticking with Android then..
Whatever happened to Ubuntu mobile?
boofman said:
Okay, so Android will become more like iOS on Nougat and onwards? No way I'm sticking with Android then..
Whatever happened to Ubuntu mobile?
Click to expand...
Click to collapse
Well yes at least for most OEM manufacturers. I think Google is mostly doing this to help promote Nexus phones so they get a bigger market. Because if you have a Nexus or Oneplus you'll be fine with being SIM Unlocked and Bootloader Unlocked.
Personally I'll be upgrading in couple months with AT&T an I'll be giving this Note 4 back to them... don't see much point to keeping it if I can't root. An I'm upgrading back to iPhone because at least we all know Apple don't have much security an will have a jailbreak on iOS 10. They just got one on iOS 9.3.3 and other developers already have iOS 10 beta 3 jailbroken.
Android is still more open than iOS in the since of having SD cards, file management, being able to download from your Internet browser, running emulators on your phone like gbc, gba, ds, psx, etc. Unzipping / Opening RAR files. They just don't want you to have system access or management. Started with mostly Carriers (like Verizon and AT&T), but now I think OEM'S don't want us rooting either look at the Galaxy S7 is locked bootloader even on T-Mobile. just an example
Sent from my SAMSUNG-SM-N910A using Tapatalk
nemopsp said:
Well yes at least for most OEM manufacturers. I think Google is mostly doing this to help promote Nexus phones so they get a bigger market. Because if you have a Nexus or Oneplus you'll be fine with being SIM Unlocked and Bootloader Unlocked.
Personally I'll be upgrading in couple months with AT&T an I'll be giving this Note 4 back to them... don't see much point to keeping it if I can't root. An I'm upgrading back to iPhone because at least we all know Apple don't have much security an will have a jailbreak on iOS 10. They just got one on iOS 9.3.3 and other developers already have iOS 10 beta 3 jailbroken.
Android is still more open than iOS in the since of having SD cards, file management, being able to download from your Internet browser, running emulators on your phone like gbc, gba, ds, psx, etc. Unzipping / Opening RAR files. They just don't want you to have system access or management. Started with mostly Carriers (like Verizon and AT&T), but now I think OEM'S don't want us rooting either look at the Galaxy S7 is locked bootloader even on T-Mobile. just an example
Click to expand...
Click to collapse
I wish that we wouldn't have natively locked bootloaders as mandatory requirement for succeeding Android versions. That way, even if mainstream brands decide to lock all their phones, we'll still have those from the likes of Xiaomi and Oppo as options if you need or want root.
But, if it were the case, then I think we'd be better off with iOS with all the ecosystem that comes with it, along with fewer segmentation for developers, not to mention awesome accessories and even casings that iOS devices have.
Interesting
It's been a while since I flashed a custom rom, but been trying to get caught up again. From what I've read, the bootloader is lock in our AT&T Note 4. Isn't this the bootloader?
I am too jumping ship from android, if I'm going to spend some serious cash on a phone, it shouldn't be locked down, my daughter just received the iPhone 6s and loves it, I want full access to my phone again, been rooting for yrs
Sent from my SAMSUNG-SM-N910A using Tapatalk
I've spent too much money on apps to consider switching. I'll just change carriers.
Hi everyone,
So it has been a year since I have my S9 and still there is no exploit released to the public yet, and I understand that Samsung really locked down the security on their US variants.
On the Samsung S6, what I used to have, had an exploit where you can only have shell root access in terminal by modifying the boot.img and flashing it via odin, and thats using Android Nougat for root.
Could this perform a similar function to the S9? Like at least have an exploit where you can have shell root via ADB?
If not, is there any status on the G960U in terms of rooting?
AndroidFan16 said:
Hi everyone,
So it has been a year since I have my S9 and still there is no exploit released to the public yet, and I understand that Samsung really locked down the security on their US variants.
On the Samsung S6, what I used to have, had an exploit where you can only have shell root access in terminal by modifying the boot.img and flashing it via odin, and thats using Android Nougat for root.
Could this perform a similar function to the S9? Like at least have an exploit where you can have shell root via ADB?
If not, is there any status on the G960U in terms of rooting?
Click to expand...
Click to collapse
modifying the boot.img will cause the signature from sammy to fail as would anything else that isnt stock and properly signed.
No dice man. Still nada on the U devices. You do know that root is becoming less and less necessary, right? What are you looking to get done with root?
youdoofus said:
modifying the boot.img will cause the signature from sammy to fail as would anything else that isnt stock and properly signed.
No dice man. Still nada on the U devices. You do know that root is becoming less and less necessary, right? What are you looking to get done with root?
Click to expand...
Click to collapse
Ohh... Well that's kind of a dud.
I always want root mainly for more control with my device, for example, uninstalling bloatware (this way if I dare to factory reset my device, I dont need to disable the apps I dont want after performing a factory reset, unless if I have to reflash the rom).
Another thing is controlling the CPU's frequency speed (or governor) for either saving battery or pump out more performance, which is technically the #1 thing I want as root.
I also want to disable OEM updates from forcing me to update my phone after 10 defers (I found a bug to bypass this and it's by using the notification draw and click on the setting button).
I also want to configure access of changing the 4G LTE bands (which changing the config file in the /efs partition, which I assume, is locked without su access).
Like I have mentioned, the shell root is basically minimum for me, and I wouldn't mind on that. HOWEVER, if all that I have mentioned can be performed without root and have a similar function of doing these, please let me know.
AndroidFan16 said:
Ohh... Well that's kind of a dud.
I always want root mainly for more control with my device, for example, uninstalling bloatware (this way if I dare to factory reset my device, I dont need to disable the apps I dont want after performing a factory reset, unless if I have to reflash the rom).
Another thing is controlling the CPU's frequency speed (or governor) for either saving battery or pump out more performance, which is technically the #1 thing I want as root.
I also want to disable OEM updates from forcing me to update my phone after 10 defers (I found a bug to bypass this and it's by using the notification draw and click on the setting button).
I also want to configure access of changing the 4G LTE bands (which changing the config file in the /efs partition, which I assume, is locked without su access).
Like I have mentioned, the shell root is basically minimum for me, and I wouldn't mind on that. HOWEVER, if all that I have mentioned can be performed without root and have a similar function of doing these, please let me know.
Click to expand...
Click to collapse
youre not gonna get true debloating with this, but if you flash the U1 firmware with an unknown CSC, it wont install any carrier bloat and is very much akin to a GSI. Nice and stripped down. Over/unclocking, yup, you need root. I never see people talking about clockin the processor anymore tho as the new kernels are so adaptive and are written quite well. Ive also never not wanted to install an OEM update, so im not sure how to stave those off, or if ite even possible. To change the bands your phone is utilizing, you just need access to the special menu from the dialer.
Do you know what's the dialer code to access the service menu on the S9 on Verizon?
I'm pretty sure its locked but it's worth a try.
Hello,
Yesterday, I successfully rooted my Samsung Galaxy S10+. But since I still had some questions about it, I went on and posted a thread here. User Spaceminer then pointed out that my original post was in the wrong subforum and linked me here. Naturally, I looked at some of the most popular posts in hopes to find answers to my questions. But what I found confused me more than it gave me answers.
Since 2014 with the Samsung Galaxy S5 I got used to rooting in order to disable bloatware, protect my data and customize my phone. I continued doing that with the S8+ until I recently got my hands on the S10. Now, my main reason for rooting are still the same; I want disable (not necessarily uninstall) bloatware, protect my privacy and customize my phone (such as changing the background of the dial when calling someone). But that thread made me wonder if it is even essential to root. I also found a similar post on reddit and most answers seem to agree that it is not necessary to root your phones.
Now, my situation is a bit different. For one, I already rooted my phone. Second, I don't care about warranty nor custom ROMs. But I do want to install a banking app. Also, it is a bit cumbersome to not only have to manually update your phone with every update but the booting requirements with the warning screen are also a bit annoying. So, my question is the following:
What are the advantages of rooting that are not possible without? I have 3 main concerns: Bloatware, Privacy and Customization.
The reason why I posted this in a separate threat is that I was not able to come to a definitive conclusion on my own and most discussion threads are over a year old. By now, the whole process of rooting and what is possible changed since then, so I want to get a more recent insight. I hope you can help me out.
With kind regards,
DasMalzbier
Tbh root is not needed, unless you want to use a custom rom. Most things are already in the android now.
Calyx os not make for samsung Galaxy series and 12 update also comes this year so i think rooting is unnecessary for s10 series
Root is 100%, absolutely necessary for using the phone. I cannot use any phone without it. Critical root-only capabilities:
full system backups (in twrp)
titanium backup
disable updates permanently (update ONLY when want to)
app freezers (app quarantine)
disable/remove bloatware
disable google play services/google play
automate/tasker
cf lumen
adblockers
wifi tether
busybox
superuser
ssh tunnel
update android to later version / install custom roms
optimize system
button mapper
custom theming / substratum
nav gestures
tidypanel
xposed
root explorer
app privacy customizations
3c all-in-one toolbox
more
Without root, the phone is unusable to me. I will never buy any phone without root capability. I am willing to go to different carriers just to get root on the device, or go to different manufacturers if root is blocked. For example, I will never buy a huawei device - they are locked.
I would like to say yes but I can't. the stock apps are very well designed.
The biggest concern is that custom Roms are released faster than modded apps.
For example I tried about ten GCAMs and all of them have a bug... and it becomes more complicated with Exynos.
OpenGcam is not worth samsung app.
Unable to get voice match to work.
Alarms that you can't set to a specific day with the google app.
And so on.
Root is useful when the manufacturer no longer updates the devices.
I regret having Root mine because I lost Samsung Pay and other things.
DemotionFR said:
I would like to say yes but I can't. the stock apps are very well designed.
The biggest concern is that custom Roms are released faster than modded apps.
For example I tried about ten GCAMs and all of them have a bug... and it becomes more complicated with Exynos.
OpenGcam is not worth samsung app.
Unable to get voice match to work.
Alarms that you can't set to a specific day with the google app.
And so on.
Root is useful when the manufacturer no longer updates the devices.
I regret having Root mine because I lost Samsung Pay and other things.
Click to expand...
Click to collapse
The only one that would have any consequence of rooting is Samsung Pay.
xbt- said:
Root is 100%, absolutely necessary for using the phone. I cannot use any phone without it. Critical root-only capabilities:
full system backups (in twrp)
titanium backup
disable updates permanently (update ONLY when want to)
app freezers (app quarantine)
disable/remove bloatware
disable google play services/google play
automate/tasker
cf lumen
adblockers
wifi tether
busybox
superuser
ssh tunnel
update android to later version / install custom roms
optimize system
button mapper
custom theming / substratum
nav gestures
tidypanel
xposed
root explorer
app privacy customizations
3c all-in-one toolbox
more
Without root, the phone is unusable to me. I will never buy any phone without root capability. I am willing to go to different carriers just to get root on the device, or go to different manufacturers if root is blocked. For example, I will never buy a huawei device - they are locked.
Click to expand...
Click to collapse
can you carrier /network unlock with the root >?
NickosD said:
Tbh root is not needed, unless you want to use a custom rom. Most things are already in the android now.
Click to expand...
Click to collapse
No, even if you wanna use custom rom you don't need to root. Just pick the rom with the apps you want or just use the gapps packages you want, if want essential to work gapps then use pico or nano. If there is still something you want to remove and the romdoesn't allow, just use adb shell commands and thats it. Less issues with banks not working because of Magisk (root). I know Magisk has a feature to hide itself, change its name but depending on the app, the libs can be found and know that is Magisk, so for security purposes some apps don't work and some aren't even shown in the Google Play Store just because you rooted the device.
logandavid said:
maybe now the root is not needed but later down the road when your phone will get obsolete and newer android OS updates will be halted for S10+ then you'll be more attracted towards custom roms. Actually it is just personal preference.
Click to expand...
Click to collapse
It's happening right now, I doubt S10+ will receive Android 13 and now just security and bug fix updates are being shipped by Samsung.
Haknor said:
It's happening right now, I doubt S10+ will receive Android 13 and now just security and bug fix updates are being shipped by Samsung.
Click to expand...
Click to collapse
It won't get any new Android upgrades AFAIK.
But appart from tripping knox, what else do I lose if I unlock my bootloader? I read once, quite a while ago, that the battery is limited to 80% of its full capacity. Is that true?
io_gh0st said:
It won't get any new Android upgrades AFAIK.
But appart from tripping knox, what else do I lose if I unlock my bootloader? I read once, quite a while ago, that the battery is limited to 80% of its full capacity. Is that true?
Click to expand...
Click to collapse
Depending on the version, you'll notice stock camera to be limited or not work as expected, secure folder, dual messenger either not working, it can trigger some banks or payment apps (especially if you root), no more ota updates (if you keep using stock rom), drm content can stop working, samsung pay, Play Store might limited the apps you see and so on... Not sure about the battery, for me unlocking the bootloader and switching to another rom made my battery last more than stock, but it depends on the rom, the device, it's not a rule of thumb.
Can i modify my g988u from verizon in anyway? And if so how? Im new to this kind of stuff. I know i should probably leave verizon
You might be able to disable some packages with ADB , but beyond that, if your phone has been receiving OTA updates, it's likely hopeless. Substantial customization requires root, and that is precluded by locked bootloaders. There are paid services that can unlock bootloaders in S20s with older software, but my understanding is this isn't an option for devices with newer software
I actually just switched to Verizon, entirely motivated by AT&T's hostiliity towards most unlocked devices (that they don't sell). So, if you leave, who are you going to go to? T-Mobile is the most permissive of the big 3, but tends to lag in infrastructure.
Right didnt even look into that. Probably going to stay with verizon now that ya said that lol. Just curious What do people get out of from rooting their phone? I want to learn how and dont know where to start.
CainD5 said:
Right didnt even look into that. Probably going to stay with verizon now that ya said that lol. Just curious What do people get out of from rooting their phone? I want to learn how and dont know where to start.
Click to expand...
Click to collapse
A lot. Android phones have come a long way in past decade and change that they have been available, but root access, which is typically associated with at least an unlocked bootloader and possibly also a custom ROM, remains the single most powerful customization tool. A short non-exhaustive list of what you can do:
Use Magisk (See Magisk Module Repo for ideas of capabilties).
Use EdXposed or LSPosed (See Xposed Module Repo for ideas of capabilities).
Install a custom kernel (natively mount CIFS/NFS filesystems, overclock your device, and all sorts of other options).
Permanently debloat your ROM (survives hard reset).
Enjoy the best ad blocking experience.
View/backup/edit private application data.
There are also downsides to root, such as tripping the warranty void bit (and disabling Knox-related functionality like Samsung Pay, likely losing filesystem encryption, and greatly increasing your odds of a malware infestation. That said, the XDA site is largely powered by the modding/root access community, so those risks aren't discussed much.