• Stars
    star
    410
  • Rank 105,468 (Top 3 %)
  • Language
    C
  • Created about 5 years ago
  • Updated almost 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A PoC application demonstrating the power of an Android kernel arbitrary R/W.

qu1ckr00t

A PoC application demonstrating the power of an Android kernel arbitrary R/W (CVE-2019-2215). Writeup: https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/

Qu1ckR00t is a PROOF OF CONCEPT. It should NOT be used on your personal device with valuable userdata. It has only been tested on a Pixel 2. Running it on any other device / kernel will likely lead to a crash or even data loss. DO NOT install extra Magisk environment files or upgrade Magisk if prompted as this will patch boot, breaking DM-Verity on next boot likely leading to data-loss when you need to reflash.

No prebuilt APKs are provided to avoid people messing up their device. Build and customize it to your specific device!

Notes

  • The exploit for CVE-2019-2215 is at native/poc.c. Compile this with the Android NDK.
  • Native binaries (Magisk + exploit) are bundled into the APK in app/src/main/res/raw. Add or replace these with device-specific code.
  • The YOLO-installerâ„¢ for Magisk is at app/src/main/res/raw/magisk_install and has only been tested on a AArch64 Pixel 2 running Android Q. YMMV.

Limitations

  • Magisk was never meant to be installed without a patched boot image
  • Magisk install is core-mode only
  • Magisk app SU notifications don't appear to be working due to the request intent not making it. I manually sent it during the SU timeout window using ADB and the command: am start -n APP_ID/a.m --user 0 -f 0x18000020 -a request --es socket SOCKET_ID, where APP_ID is the package name of the install magisk manager and SOCKET_ID is the listening socket of the magisk daemon (found using lsof | grep magisk | grep ' @' in a root shell)

Related

More Repositories

1

ShannonBaseband

Scripts, plugins, and information for working with Samsung's Shannon baseband.
C
136
star
2

shannon_s5000

A code skeleton of Samsung's Shannon S5000 baseband modem.
C
40
star
3

ShannonEE

FirmWire has replaced ShannonEE. OLD: A dynamic analysis environment for Samsung's Shannon baseband.
36
star
4

ShannonFirmware

Samples of Shannon baseband firmware for research purposes.
34
star
5

uOS

An in progress learning kernel for x86.
C
13
star
6

YateBTS-USRP

A fork of YateBTS that still works with USRP devices.
C
11
star
7

gdbscripts

An assorted collection of GDB scripts.
Python
9
star
8

shannon_S5123

A code skeleton of Samsung's Shannon5123 5G baseband modem.
C
9
star
9

ffff

File Fuzzing For Fun (FFFF). A bare minimum file format fuzzer. Easily extensible corruption types.
C
7
star
10

omap_loader

A USB BootROM uploading utility for TI ARM OMAP3 family processors. Rewrite of omap3_usbload. Supports USBLOAD functionality in TI's X-Loader.
C
5
star
11

SM-G973F-Kernel

Samsung S10 SM-G973F Exynos 9820 Kernel (G973FXXU3ASG8)
C
4
star
12

pwgen

A simple password generator from a wordlist and seed. Used for CCDC.
Python
4
star
13

usbutils-portable

A portable version of Linux's usbutils (lsusb) for macOS.
C
4
star
14

ctf

A sampling of CTF solutions from me over the years.
Python
3
star
15

OuterRealm

A very minimal Three.JS demoscene prod tracked using GNU Rocket for Javascript.
JavaScript
2
star
16

vocode

Enabling you to program with your voice.
Python
2
star
17

hunter_remote

Notes and tools to send and receive signals from Hunter fan remote controls.
Python
2
star
18

benchasm

A personal collection of x86 assembly snippets for learning and performance tests.
C
2
star
19

nest-toolkit

An old release of a Nest UI Toolkit from my BlackHat '14 talk.
C
2
star
20

gfx

Some C++ graphics fun
C++
1
star
21

roguesolver

A ASCII based rogue AI that finds keys and exits on an unknown map.
C
1
star
22

grant-h.github.io

HTML
1
star
23

dotfiles

Grant Hernandez's personal dotfiles.
Vim Script
1
star
24

fractal

A quick-n-dirty fractal viewer written in good-ol' C and SDL.
C
1
star
25

sierpinski-chaos

A simple SDL app to generate sierpinski's triangle using the chaos game.
C++
1
star
26

BuildIt-2014

My submission for the Build it Break it Fix 2014 competition.
Python
1
star