• Login:

Welcome to the Toshiba Thrive Forum.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed.

Page 25 of 26 FirstFirst ... 1523242526 LastLast
Results 241 to 250 of 254
Like Tree50Likes

Thread: Toshiba Excite 10 SE (AT300SE) root [SOLVED]

  1. #241
    Developer

    Member #
    18359
    Join Date
    Sep 2012
    Location
    Surprise, Az (that's a real place)
    Posts
    3,783
    Liked
    1903 times
    Twitter
    piomasaki
    Quote Originally Posted by Quid View Post
    Thanks pio_masaki for being so helpful to everyone. About my case, better take it to Toshiba, no?
    At this point it's probably the only real option I fear.

    Sent from my Oneplus One using Tapatalk
    JB/ICS OC Kernels | My ROMs section | TWRP Recovery for Thrive
    CM10 General Thread | Jelly Bean Guide
    Donations, always appreciated!
    Need a rollback or reflash? Just send a PM!

  2. Ads


  3. #242
    Thrive Lurker
    Member #
    28542
    Join Date
    Dec 2016
    Posts
    8
    Liked
    3 times
    Quote Originally Posted by pio_masaki View Post
    Motochopper is able to get root in shell, it's not 100% but its about 75% success rate, if it doesn't work reboot then try it again, it's never taken me more than twice to get root shell with it.
    Ohh, Ok, I'll try it as soon as possible. I thought I tried that exploit already and it didn't work, but probably I didn't try hard enough...


    Quote Originally Posted by pio_masaki View Post
    The kernel source for 4.1 is under the JB branch, master is 4.0 or ICS. I don't recall if I got it for the SE model or not.
    Embarassing... I didn't notice that there are several branches. Stupid me....

    Quote Originally Posted by pio_masaki View Post
    There was a PoC program that was called seakiller, the source is gone now, however it's purpose was to get past SEALime on the AT300 device, used at a security conference. You can still find info if you google seakiller, the attacks outlined in the presentation seemed valid, but in practice I was unable to replicate it. I do have a built seakiller binary, though, I managed to build it before the sources were removed, but it doesn't work. It calls for a name that doesn't appear to work, and when I first read about it (before the information started to vanish) it was mentioned it was a 4.3 updated AT300, which stopped at 4.1, and some of the processes mentioned don't exist on the 4.1 AT300, such as app controlled SEALime. I had thought it was the next generation, the Pro or whatever, with the Tegra 4, but they specifically said AT300, which seemed odd to me. Something about the module returning null, if you get it to not, then the kernel proceeds as requested, I think.
    I found the presentation, but it's lacking most details. However, I also found a transcript of the presentation at Def Con 21 - Pau oliva fora - Defeating seandroid | Readable, but on first glance it doesn't contain much more information, either.

    As the presentation talks about selinux on android in general (which is there since 4.3) but also the "odd" AT300 in general, it could well be that the seakiller is for 4.3 kernels on non-"odd"-devices and the description just got mixed up....

    I'll report if I get anything useful going...
    pio_masaki likes this.

  4. #243
    Thrive Lurker
    Member #
    28542
    Join Date
    Dec 2016
    Posts
    8
    Liked
    3 times
    Hmpf, I can't get motochopper to work. ;(
    I also tried the kernelchopper tool, which is basically a open source reimplementation of motochopper that lets you dump or change memory based on the exploit, but it doesn't work either, no matter how often I try to reboot...

    @pio_masaki: What's the kernel version on your AT300? I get:

    shell@android:/data/local/tmp $ uname -a
    Linux localhost 3.1.10-00056-g44823be #1 SMP PREEMPT Mon Aug 26 12:09:53 IST 2013 armv7l GNU/Linux

    Do you have an earlier kernel?
    I suspect that my kernel might already have been patched against motochopper. ;(

    While the kernel from your git repository still has the vulnerable code as far as I could see, the repository is from before Aug 26, so the kernel I'm actually running might be newer and include the motochopper fix...
    According to the kernelchopper thread linked above, patches were available by end of April 2013...

    What still irks me is that I can't get dirtyC0W to work, either, although it might not be of much use with sealime. However, it should at least basically work...

    Have you tried any other exploits that might work?
    Last edited by UserName; 01-03-2017 at 03:05 PM.

  5. #244
    Developer

    Member #
    18359
    Join Date
    Sep 2012
    Location
    Surprise, Az (that's a real place)
    Posts
    3,783
    Liked
    1903 times
    Twitter
    piomasaki
    Quote Originally Posted by UserName View Post
    Hmpf, I can't get motochopper to work. ;(
    I also tried the kernelchopper tool, which is basically a open source reimplementation of motochopper that lets you dump or change memory based on the exploit, but it doesn't work either, no matter how often I try to reboot...

    @pio_masaki: What's the kernel version on your AT300? I get:

    shell@android:/data/local/tmp $ uname -a
    Linux localhost 3.1.10-00056-g44823be #1 SMP PREEMPT Mon Aug 26 12:09:53 IST 2013 armv7l GNU/Linux

    Do you have an earlier kernel?
    I suspect that my kernel might already have been patched against motochopper. ;(

    While the kernel from your git repository still has the vulnerable code as far as I could see, the repository is from before Aug 26, so the kernel I'm actually running might be newer and include the motochopper fix...
    According to the kernelchopper thread linked above, patches were available by end of April 2013...

    What still irks me is that I can't get dirtyC0W to work, either, although it might not be of much use with sealime. However, it should at least basically work...

    Have you tried any other exploits that might work?
    I don't have an Excite, I haven't had a Toshiba tablet in probably a few years now. The kernel source they sent me was prior to at least one final update, which Toshiba was aware of motochopper working before releasing so it stands to reason it was patched. Each request takes literally weeks to get on a CD from Japan, and the last one I sent was ignored completely which is actually illegal, but oh well. I think they got tired of me in general. It's why I uploaded it to GitHub as Toshiba refused to have it online for whatever (security) reasons.

    To bad I didn't know about kernel chopper, I probably would have gotten past sealime since I never updated mine to the final update for obvious reasons, that's exactly what I needed.

    I suppose if I ever come across one I'd pick it up and try some more, but it'd have to be a killer deal.

    Motochopper was the only one I got root shell from, though honestly I only tried a few before that.

    Sent from my A0001 using Tapatalk
    JB/ICS OC Kernels | My ROMs section | TWRP Recovery for Thrive
    CM10 General Thread | Jelly Bean Guide
    Donations, always appreciated!
    Need a rollback or reflash? Just send a PM!

  6. #245
    Thrive Lurker
    Member #
    28542
    Join Date
    Dec 2016
    Posts
    8
    Liked
    3 times
    FWIF: I managed to get root on my AT300. After trying various variations of TowelRoot which, however, did nothing or even crashed my device, I went looking for other vulnerabilities.
    After some searching, I came across an exploit based on CVE-2013-6282 that worked out of the box:
    https://github.com/timwr/CVE-2013-6282

    However, I'm still blocked by sealime and can't access various files:

    shell@android:/ # ls /modules/
    sealime.ko
    shell@android:/ # cat /modules/sealime.ko
    /system/bin/sh: cat: /modules/sealime.ko: Operation not permitted

  7. #246
    Developer

    Member #
    18359
    Join Date
    Sep 2012
    Location
    Surprise, Az (that's a real place)
    Posts
    3,783
    Liked
    1903 times
    Twitter
    piomasaki
    Quote Originally Posted by UserName View Post
    FWIF: I managed to get root on my AT300. After trying various variations of TowelRoot which, however, did nothing or even crashed my device, I went looking for other vulnerabilities.
    After some searching, I came across an exploit based on CVE-2013-6282 that worked out of the box:
    https://github.com/timwr/CVE-2013-6282

    However, I'm still blocked by sealime and can't access various files:

    shell@android:/ # ls /modules/
    sealime.ko
    shell@android:/ # cat /modules/sealime.ko
    /system/bin/sh: cat: /modules/sealime.ko: Operation not permitted
    You'll need something that can poke kernel memory, now that you have root you should be able to finish sealime off. I'd follow that presentation we discussed for the direction to look, since you have that kernel chopper tool available now you should be able to shut it up from returning null on /system remount.

    Sent from my A0001 using Tapatalk
    JB/ICS OC Kernels | My ROMs section | TWRP Recovery for Thrive
    CM10 General Thread | Jelly Bean Guide
    Donations, always appreciated!
    Need a rollback or reflash? Just send a PM!

  8. #247
    Thrive Lurker
    Member #
    28542
    Join Date
    Dec 2016
    Posts
    8
    Liked
    3 times
    Motochopper won't do, since my tablet is not vulnerable. I haven't had a deeper look at CVE-2013-6282 yet, maybe it will allow me to overwrite kernel memory. However, apart from trying the exploit and seeing that it works, I haven't done anything else yet due to lack of time. I'll report back if I manage to do something interesting.

  9. #248
    Developer

    Member #
    18359
    Join Date
    Sep 2012
    Location
    Surprise, Az (that's a real place)
    Posts
    3,783
    Liked
    1903 times
    Twitter
    piomasaki
    Quote Originally Posted by UserName View Post
    Motochopper won't do, since my tablet is not vulnerable. I haven't had a deeper look at CVE-2013-6282 yet, maybe it will allow me to overwrite kernel memory. However, apart from trying the exploit and seeing that it works, I haven't done anything else yet due to lack of time. I'll report back if I manage to do something interesting.
    Well I meant kernel chopper since it can poke kernel memory, since you can gain root it should be usable for that after elevating.

    Sent from my A0001 using Tapatalk
    JB/ICS OC Kernels | My ROMs section | TWRP Recovery for Thrive
    CM10 General Thread | Jelly Bean Guide
    Donations, always appreciated!
    Need a rollback or reflash? Just send a PM!

  10. #249
    Thrive Lurker
    Member #
    28542
    Join Date
    Dec 2016
    Posts
    8
    Liked
    3 times
    Nope, kernel chopper uses the same (fixed) exploit as motochopper, so no chance to use it.

    However, CVE-2013-6282 also allows reading&writing arbitrary kernel memory, and the exploit code even contains some convenient methods that might make overwriting the sealime kernel methods quite easy.

    I've just started reading the exploit code and trying to understand it, but I think this might actually be quite doable.


    P.S.: As far as I know the AT300 will only boot signed kernels. Do you know if the system partition is also signed in some way, i.e., if I write to the system partition, would that brick the device?

  11. #250
    Developer

    Member #
    18359
    Join Date
    Sep 2012
    Location
    Surprise, Az (that's a real place)
    Posts
    3,783
    Liked
    1903 times
    Twitter
    piomasaki
    Quote Originally Posted by UserName View Post
    Nope, kernel chopper uses the same (fixed) exploit as motochopper, so no chance to use it.

    However, CVE-2013-6282 also allows reading&writing arbitrary kernel memory, and the exploit code even contains some convenient methods that might make overwriting the sealime kernel methods quite easy.

    I've just started reading the exploit code and trying to understand it, but I think this might actually be quite doable.


    P.S.: As far as I know the AT300 will only boot signed kernels. Do you know if the system partition is also signed in some way, i.e., if I write to the system partition, would that brick the device?
    It only boots signed boot images, not just kernel, same for recovery. That prevents us from just removing sealime from being loaded during init.

    Either way you should be able to get it. Basically if sealime does NOT return null, the kernel proceeds. I think. Maybe it's the other way around, but poking kernel memory and inserting null, or not null, should kill sealime, or rather, it's write protection with the kernel since you'll be between them.

    Sent from my A0001 using Tapatalk

    Edit: forgot, system isn't checked until updating afaik, AT300SE could have a modified system partition and boot.
    JB/ICS OC Kernels | My ROMs section | TWRP Recovery for Thrive
    CM10 General Thread | Jelly Bean Guide
    Donations, always appreciated!
    Need a rollback or reflash? Just send a PM!


 
Page 25 of 26 FirstFirst ... 1523242526 LastLast


Remove Ads

Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Search tags for this page

at300 root
,
custom rom for toshiba at300
,
how to root at300
,
how to root at300 motochopper
,
how to root toshiba at300
,

how to root toshiba at300se

,
how to root toshiba excite at300
,
jro03c at300
,

root toshiba at300

,
root toshiba excite 10
,
root toshiba excite at300
,
root toshiba tablet at300se
,
toshiba at300 root
,
toshiba excite 10 root
,
toshiba excite at300 root
Click on a term to search our site for related topics.