Possible root for J series!!??

Ideas and dreaming will go this forum
Post Reply

sectroyer
Official SamyGO Developer
Posts: 5765
Joined: Wed May 04, 2011 5:10 pm

Re: Possible root for J series!!??

Post by sectroyer » Mon Nov 02, 2015 10:49 pm

savan wrote: What you think guys?? :)
NO :)
I do NOT support "latest fw" at ALL. If you have one you should block updates on router and wait for it to STOP being "latest":)
If you want me to help you please paste FULL log(s) to "spoiler"/"code" bbcodes or provide link(s) to pasted file(s) on http://ctrlv.it/ Otherwise "NO HELP"!!!
If you want root DISABLE internet access to your device!!!!
DO NOT EVER INSTALL FIRMWARE UPGRADE !!!!

User avatar
bugficks
Official SamyGO Developer
Posts: 1062
Joined: Tue Jun 25, 2013 3:56 pm

Re: Possible root for J series!!??

Post by bugficks » Wed Nov 04, 2015 10:36 am

if someone wants to play w/ sdb, here is a quick hack python script
for a list of "known" commands check:
org.tizen.common.sdblib_2.0.0.201506231003.jar!org/tizen/sdblib/command/security
-SecureCmdVer1_0.class
-NonSecureCmd.class

Code: Select all

#!/usr/bin/env python
#
# quick hack sdb testing tool 
# (c) 2015 bugficks@samygo
#

import os, sys, array
import socket
import binascii
import time
import ctypes
from ctypes import *

MAX_PAYLOAD=4096
A_VERSION=0x02000000
#define A_SYNC 0x434e5953
#define A_CNXN 0x4e584e43
#define A_OPEN 0x4e45504f
#define A_OKAY 0x59414b4f
#define A_CLSE 0x45534c43
#define A_WRTE 0x45545257
#define A_STAT 0x54415453

def hex2bin(s):
    return binascii.unhexlify(s.replace(' ', ''))
def bin2hex(s):
    return binascii.hexlify(s)

        
"""
struct amessage {
    unsigned command;       /* command identifier constant      */
    unsigned arg0;          /* first argument                   */
    unsigned arg1;          /* second argument                  */
    unsigned data_length;   /* length of payload (0 is allowed) */
    unsigned data_check;    /* checksum of data payload         */
    unsigned magic;         /* command ^ 0xffffffff             */
};
"""
def chksum(cmd):
    _sum = 0;
    for c in cmd:
        _sum += ord(c);
    return _sum    

def make_amessage(cmd, arg0=0, arg1=0, data=None):
    ar = array.array('L', cmd + '\x00' * 5 * 4)
    ar[1] = arg0
    ar[2] = arg1
    if data:
        ar[3] = len(data) + 1
        ar[4] = chksum(data)
    ar[5] = ar[0] ^ 0xFFFFFFFF
    
    if data:
        return bin2hex(ar.tostring() + data + '\x00')
    return bin2hex(ar.tostring())


def dump_packet(data):
    ar = array.array('L', data[0:6*4])
    print "  %08x %s" % (ar[0], data[0:4])
    for i in range(1,6):
        print "  %08x" % ar[i]
    if ar[3] > 0:
        payload = data[6*4:]
        print '    payload:', payload
    print '  hex', bin2hex(data), ''
    return ar
    
def send(s, data):
    print 'sending'
    _data = hex2bin(data)
    dump_packet(_data)
    
    s.sendall(_data)
    
    print ''
    

def recv(s):
    print 'receiving'
    try:
        data = s.recv(1024)
        dump_packet(data)
        return data
    except socket.timeout:
        pass
    print ''

def sdb_cmd(s, cmd):
    cmd = make_amessage('OPEN', 1, 0, cmd)
    send(s, cmd)

    data = ''
    while True:
        data = recv(s)
        if not data:
            break
        
        msg = array.array('L', data[:24])
        arg0 = msg[1]
        arg1 = msg[2]
    
        cmd = None    
        if data[:4] == "OKAY":
            cmd = make_amessage('OKAY', arg1, arg0)
            
        if data[:4] == "CLSE":
            cmd = make_amessage('CLSE', arg1, arg0)
            #break
        if data[:4] == "WRTE":
            cmd = make_amessage('OKAY', arg1, arg0)
            
        if cmd:
            send(s, cmd)


SHELL_PROTOCOL = "shell:";
ROOT_SHELL_PROTOCOL = "sshell:";

"""
org.tizen.common.sdblib_2.0.0.201506231003.jar!org/tizen/sdblib/command/security
    -SecureCmdVer1_0.class
    -NonSecureCmd.class
 
cmd = make_amessage('OPEN', 1, 0, 'shell:2 mkdir -p /tmp/asd')
cmd = make_amessage('OPEN', 1, 0, 'shell:1 uname')
cmd = make_amessage('OPEN', 1, 0, 'shell:2 /bin/sh /opt/storage/usb/sda1/HACKED.txt')
cmd = make_amessage('OPEN', 1, 0, 'shell:0 psinfo')
cmd = make_amessage('OPEN', 1, 0, 'shell:rpm -qa | grep sdbd')
cmd = make_amessage('OPEN', 1, 0, 'shell:/usr/bin/dlogutil')
cmd = make_amessage('OPEN', 1, 0, 'shell:0 getduid')
cmd = make_amessage('OPEN', 1, 0, 'shell:0 rmfile /tmp/test')
cmd = make_amessage('OPEN', 1, 0, 'sysinfo:')
cmd = make_amessage('OPEN', 1, 0, 'shell:0 getappinstallpath')
cmd = make_amessage('OPEN', 1, 0, "shell:cat /proc/cmdline | grep 'vm_name' | wc -l")
cmd = make_amessage('OPEN', 1, 0, "root:on")
cmd = make_amessage('OPEN', 1, 0, "shell:0 getvmname")
cmd = make_amessage('OPEN', 1, 0, 'shell:0 applist')
"""

if __name__ == '__main__':
    print "sdb tool (c) bugficks"
    try:
        cmd = sys.argv[1]
    except:
        print 'Usage: sdbtool.py "cmd" [ip]'
        print '       sdbtool.py "shell:0 getduid"'
        sys.exit(1)
        
    print ''

    try:
        ip = sys.argv[2]
    except:
        ip = '192.168.1.12'

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((ip, 26101))
    s.settimeout(2.0)

    cmd_connect = make_amessage('CNXN', A_VERSION, MAX_PAYLOAD, 'host::')
    send(s, cmd_connect)
    data = recv(s)
    if data and data[:4] == 'CNXN':
        sdb_cmd(s, cmd)

    print 'exiting...'

Code: Select all

>sdbtool.py "shell:0 getduid" 192.168.10.10
sdb tool (c) bugficks

sending
  4e584e43 CNXN
  02000000
  00001000
  00000007
  00000232
  b1a7b1bc
    payload: host::
  hex 434e584e00000002001000000700000032020000bcb1a7b1686f73743a3a00

receiving
  4e584e43 CNXN
  01000000
  00001000
  00000013
  00000548
  b1a7b1bc
    payload: device::UJU7500::0
  hex 434e584e00000001001000001300000048050000bcb1a7b16465766963653a3a554a55373530303a3a3000
sending
  4e45504f OPEN
  00000001
  00000000
  00000010
  00000588
  b1baafb0
    payload: shell:0 getduid
  hex 4f50454e01000000000000001000000088050000b0afbab17368656c6c3a30206765746475696400

receiving
  59414b4f OKAY
  000000a1
  00000001
  00000000
  00000000
  a6beb4b0
  hex 4f4b4159a1000000010000000000000000000000b0b4bea6
sending
  59414b4f OKAY
  00000001
  000000a1
  00000000
  00000000
  a6beb4b0
  hex 4f4b415901000000a10000000000000000000000b0b4bea6

receiving
  45545257 WRTE
  000000a1
  00000001
  0000000f
  00000411
  baabada8
    payload: AFCU6CTKYUHXU

  hex 57525445a1000000010000000f00000011040000a8adabba5a50434a364f544559574858550d0a
sending
  59414b4f OKAY
  00000001
  000000a1
  00000000
  00000000
  a6beb4b0
  hex 4f4b415901000000a10000000000000000000000b0b4bea6

receiving
  45534c43 CLSE
  00000000
  00000001
  00000000
  00000000
  baacb3bc
  hex 434c534500000000010000000000000000000000bcb3acba
sending
  45534c43 CLSE
  00000001
  00000000
  00000000
  00000000
  baacb3bc
  hex 434c534501000000000000000000000000000000bcb3acba

receiving

exiting...