Toshiba Excite 10 SE (AT300SE) root [SOLVED]

[Quid]

Thanks pio_masaki. Just one last question, if you don't mind.
Can I access the /system when it boots for recovery menu?
ADB seems to not being able to find the device...

I think I bricked it after I changed the name of the device model and manufacturer on build.prop and would try to undo it.

[Ads]

[pio_masaki]

If you can get ADB to work then you can access /system IF you retained root.

If you've never used ADB on it before it may be tricky, but adb comes up almost as soon as the sparkles do.

Once you see it with ADB devices you can use a root shell to fix your build.prop. I won't get into the step how unless it's needed, and it would be tedious on phone keyboard lol.

Of note, even the "unrootable" AT300 gives up a root shell, we just can't write to /system, so nothing permanent can be done. The AT300SE had a fluke update where the kernel module was left out that prevents it.

That said, it can be done, I've done it quite a few times on the AT300. Even have a script setup for triggering the exploit for root shell, just never got past sealime.

Sent from my A0001 using Tapatalk

Edit: just realized you want to use recovery for ADB, no, you can't access /system from it, it's just the stock 3e recovery, only signed zips will flash from it, we can't manually change anything like cwm or TWRP. Bootloader SIG checks recovery, so we can't just put a custom one there.

[Quid]

Thanks A LOT pio_masaki. Yes, problem is I never see the 'sparkles', only the Toshiba logo. Guess I will have to bring it to Toshiba.

PS: Computer still detects something's there, but ADB fails to work...

[pio_masaki]

Thanks A LOT pio_masaki. Yes, problem is I never see the 'sparkles', only the Toshiba logo. Guess I will have to bring it to Toshiba.

PS: Computer still detects something's there, but ADB fails to work...

That's likely the APX mode, I know some, or all, tegra devices will fault to APX mode for repair if it can't do anything, but Toshiba chose to lock that as well, without the key we can't access APX mode either.

Let me figure out some stuff for a minute and I'll post something to try.

Sent from my A0001 using Tapatalk

[Quid]

let me figure out some stuff for a minute and i'll post something to try.

thanks!!!

[pio_masaki]

thanks!!!

OK, let's test. Since you rooted I take it you at one point had ADB setup and working, if so let me know. If you already know where I'm going with this then skip ahead.

Open up a prompt, wherever you have ADB.exe unless it's system wide, then anywhere, if you don't know what that means then it probably isn't lol

Turn off the excite, plug it in with a micro USB cable, in the terminal type adb logcat. If it takes it'll say waiting for device, then try to turn on the excite. If logcat jumps then you have ateast a small window of ADB access, and we can maybe work something out.

If ADB errors or something we'll address that. It's hard to tell but if the system was the same that rooted it ADB should work, drivers wise. If it has a driver issue it'll be hard to track down. If after a couple tries it doesn't kick logcat over, press ctrl and c to exit that command, then boot the excite into recovery (power and volume down iirc, maybe it's up) then tell me what options you have.

I'm looking for ADB updating, in that mode it'll trigger ADB on the PC as well, but not logcat, but the PC will tell you if it's there in device manager.

If this is all over your head just let me know and we can setup a Skype or duo or something call and I can walk you through it while I see what's going on your screens.

Sent from my A0001 using Tapatalk

[Quid]

PC detects it as "MTP USB Device" called... "Nexus" (it's the name I gave it on build.prop, lol)


adb logcat waits forever for device and nothing happens.


In "Recovery mode" I have the usual, including update from adb and factory reset which, as you know, wont work in this case. (I've tried anyway)


Using update from adb I get an "Unknown USB Device".

[UserName]

That said, it can be done, I've done it quite a few times on the AT300. Even have a script setup for triggering the exploit for root shell, just never got past sealime.

Hi pio_masaki,

how did you get the root shell? What exploit did you use?
I've been playing around with dirtyC0W but it doesn't work at all on my AT300. ;(

The SELINUX code used (sealime) seems to be totally different from what's used by current android versions, too...

P.S.: I found your AT300 kernel repositories on github, but unfortunately it only contains the source for the old 4.0.3 AT300 firmware. Do you have the kernel source for the current Android 4.1.1 image, too? Or is it identical to the AT300se kernel? (As far as I know, both AT300 and AT300se are basically identical devices).

Edit: Does the root shell at least allow you to read files only visible to root or system?

P.S.: Great work getting the root shell at all!

[pio_masaki]

Motochopper is able to get root in shell, it's not 100% but its about 75% success rate, if it doesn't work reboot then try it again, it's never taken me more than twice to get root shell with it.

SEALime is a modified version of what was then SELinux, and is not very similar to SELinux found on android from 4.3 on, so attacks against SELinux won't work that I know of.

The kernel source for 4.1 is under the JB branch, master is 4.0 or ICS. I don't recall if I got it for the SE model or not. The SE had a single update that didn't include SEALime, or at least it wasn't loaded, there was an update since that put it back on, that's why the SE could gain permanent root and /system write and the AT300 can't. They should be similar otherwise, but the hardware did differ slightly so I'm not sure its a straight exchange for the two. We can't flash a custom kernel anyways, the bootloader would fail the sig check on the boot.img even on the SE.

In shell with root you have every power root normally has EXCEPT write on certain partitions, like /system, and the ability to unload the SEALime module. Anything SEALime prohibits it will regardless of what level you run at.

If you know how to poke at kernel memory then SEALime can be bypassed since we have shell root, however it's beyond me how to do that so I never got past it. The last idea I had was to use some utility to write or block reading from sealime.ko, or knock it out of memory completely. Unlike the AT100 4.0 version it's active, it doesn't just load and sit there, the kernel queries it and it reacts, so the little loophole we used to symlink it to another path no longer works.

There was a PoC program that was called seakiller, the source is gone now, however it's purpose was to get past SEALime on the AT300 device, used at a security conference. You can still find info if you google seakiller, the attacks outlined in the presentation seemed valid, but in practice I was unable to replicate it. I do have a built seakiller binary, though, I managed to build it before the sources were removed, but it doesn't work. It calls for a name that doesn't appear to work, and when I first read about it (before the information started to vanish) it was mentioned it was a 4.3 updated AT300, which stopped at 4.1, and some of the processes mentioned don't exist on the 4.1 AT300, such as app controlled SEALime. I had thought it was the next generation, the Pro or whatever, with the Tegra 4, but they specifically said AT300, which seemed odd to me. Something about the module returning null, if you get it to not, then the kernel proceeds as requested, I think.

Hi pio_masaki,

how did you get the root shell? What exploit did you use?
I've been playing around with dirtyC0W but it doesn't work at all on my AT300. ;(

The SELINUX code used (sealime) seems to be totally different from what's used by current android versions, too...

P.S.: I found your AT300 kernel repositories on github, but unfortunately it only contains the source for the old 4.0.3 AT300 firmware. Do you have the kernel source for the current Android 4.1.1 image, too? Or is it identical to the AT300se kernel? (As far as I know, both AT300 and AT300se are basically identical devices).

Edit: Does the root shell at least allow you to read files only visible to root or system?

P.S.: Great work getting the root shell at all!

[Quid]

Thanks pio_masaki for being so helpful to everyone. About my case, better take it to Toshiba, no?