Docomo Fujitsu Arrows NX F-01F support?

[dadreamer]

I know, it's kinda old model from Docomo but still there's no support even for temporary root. I own F-01F for several years and there was one major upgrade. So, now the recent firmware is based on Android 4.4.2, build # V10R22A (kernel version 3.4.0). For this model I'm ready to do all the necessary procedures related to root obtainment.

If I understand clearly I need to run _android_get_essentialaddress to get specific memory addresses, which later would be added to the device database. Is that correct?

BTW, 2ch boards contain the addresses for the previous firmware:

FJT21

prepare_kernel_cred = 0xc01b7b0c commit_creds = 0xc01b75e4 remap_pfn_range = 0xc0235978 perf_swevent_enabled = 0xc111ff18 ptmx_fops = 0xc112eeb4

security_remap_pfn_range = 0xc0347908 vmalloc_exec = 0xc0242278

remap_pfn_range_end_op = 0xc0fed714

I wonder if they work for V10R22A.

[fi01]

These tools are not work for F-01F build V10R22A. It is enabled PXN even if it is 32bit kernel. If you want to execute exploit code, it is needed to use JOP code or something, not like these tools.

[dadreamer]

@fi01 OMG, such a hardcore protection for the old phone without both SE and HCE! Well, it seems I won't overcome that with my knowledge of Android OS. But if I downgrade to older builds, will it be possible to use your tools?

[fi01]

I think we can run exploit by pingpong with some parameter customization on build V33R64B. But I never heard that it was possible to downgrade.

[dadreamer]

@fi01 Well, I see that I cannot downgrade due to the absence of public firmwares. I wonder if iovyroot is suitable for this task as it's dealing with JOP code somehow. Still searching for another ready-to-go rootkits but a little has been found for now.

[dadreamer]

Just out of my curiosity I've ran a few vulnerability test apps. They showed that F-01F is vulnerable to these flaws: CVE-2015-1474 (GraphicBuffer integer overflow) CVE-2015-1538 #2, #3, #4 (libstagefright: "ctts"/"stts"/"stss" MP4 atom integer overflow remote code execution) CVE-2015-3829 (libstagefright: "covr" MP4 atom integer overflow remote code execution) CVE-2015-3864 (libstagefright: MP4 atom integer underflow remote code execution) CVE-2015-6602 (libstagefright: libutils MP3/MP4 remote code execution) CVE-2015-3825 -> CVE-2015-3837 (memory corruption in OpenSSLX509Certificate deserialization -> remote code execution) CVE-2015-3636 (the famous pingpong bug) CVE-2015-6608 (mediaserver remote code execution) CVE-2015-1528 (integer overflow in the native_handle_create function) CVE-2015-6616 (mediaserver remote code execution)

+ new Qualcomm vulns (obtained with QuadRooter): CVE-2016-2059 (gain privileges by using _msm_ipc_router_bind_controlport function) CVE-2016-2504 (gain privileges via crafted app) CVE-2016-2503 (gain privileges via crafted app) CVE-2016-5340 (bypass some restrictions by using _is_ashmemfile function)

I think, all those StageFright vulnerabilities are of no real use for root gain 'cause it's hard to apply them. For the others I checked out the web and the result is not so good. The rest doesn't even have working code for Android to compile and test. Among them CVE-2015-3636 is widely known and well studied. It seems to me it might be possible to run it on F-01F. I tried that on your pingpong PoC and the result gives some hope.

C:\adb>adb push poc data/local/tmp
poc: 1 file pushed. 1.9 MB/s (68492 bytes in 0.034s)

C:\adb>adb shell
shell@F01F:/ $ cd data/local/tmp
shell@F01F:/data/local/tmp $ chmod 755 poc
shell@F01F:/data/local/tmp $ ./poc
Creating target socket................... OK
16 + 65000 sockets created
20971520 bytes allocated
Done!
C:\adb>

But after this 'Done!' string the phone reboots and of course there's no root... I have tried another forks of this PoC. Some of them display 'Terminated' instead and throw me back to adb shell. The phone doesn't reboot but no root also. Is this code able to defeat PXN at all?..

[fi01]

You have no chance without JOP. It will need kernel memory dump or boot image.

[dadreamer]

@fi01 In the mean time I have tried all available exploits for those CVEs, hoping they'd allow me to pull out boot.img. Sadly I had no success, because they all require specific memory addresses to work properly. I couldn't debug phone's memory without root.

But I've found something interesting. Maybe you heard of last year's finding on RowHammer attack... Here's the article for that. And this one is more detailed. I checked F-01F with the test tool Drammer and it showed that my device is vulnerable. After spending some time for the search I have found the PoC, which's demonstrated here. After all, it appears that this PoC was written expecially for LG Nexus 5 (Android 6.0.1), so it works incorrectly on another devices. It cannot finish and reports various errors. Well, it's private thing also. But I can send it to you if you're interested in this. Maybe, it could help in writing new exploit based on RH attack.

Btw, you could check out these test apps (32-bit ready) to see, if the device is vulnerable: http://vvdveen.com/drammer/drammer.apk http://vvdveen.com/drammer/rh-test http://vvdveen.com/drammer/drammer There's a source on GitHub also.

[dadreamer]

It seems, that "very secret" exploit gave me some basic root priv's, so I managed to pull out my boot.img and kallsyms from the phone. But still any other things are locked and SELinux is on. So I started to adapt iovyroot to do the final task. Currently I'm stuck at finding correct joploc / jopret and selinux_enforcing. Maybe you with your great experience in rooting could look at my kernel and kallsyms and point me to the way to go. :) My dumps are here: https://github.com/dosomder/iovyroot/issues/48

[fi01]

About 3 monthes ago I dumped boot image, and I confirmed that iovyroot's jop method is not enough for F-01F. Because ptmx fops is in text section, you can not modify fsync callback address and there is nothing to kick jop code by fsync.

[dadreamer]

Can I do something with it, having root (id=0)? There should be a way to disable SELinux. Maybe, even something easy like that.

[dadreamer]

@fi01 Well, browsing some xda threads I've got an idea of getting hardware root by unsoldering emmc, altering its content and soldering it back. I think, it should work but it's kinda tricky and expensive. Now I know what to do to get the basic root priv's. But what can I do to disable (or maybe completely rip out) that fjsec security? I mean, is it possible to tweak some files in the system to remove it or put into an inactive state?..

I could dump the whole system or the necessary partitions/files if it helps.

[ttlover201212]

I can root it with some tool..

[dadreamer]

@ttlover201212

I can root it with some tool..

Do you know how to disable fjsec LSM after that?

[ttlover201212]

Sorry bro,I do not know. I find that I can only root 4.22 but not 4.42.. Do you know how to temporary root it ?

[dadreamer]

@ttlover201212 I have the exploit which is able to gain root privileges. But I can't disable fjsec and can't mount /system as read-write. So, these root privileges are useless. The only one thing I can do - read various files and do the dumps.

I'm still trying to find a way to full-root 4.4.2 firmware.

By the way, fjsec may be also active on 4.2.2 firmwares (I'm kinda unsure but it seems to be so). To disable it you need to use Backdoor mmap tools by fi01. You will need to compile _unlock_lsmfjsec and _unlock_mountfjsec and run on your device after you got root priv's. I don't know if those sources should be adapted to your task or not, it's better to ask fi01.

[ttlover201212]

How to gaim root privileges?I want to have a try on my fj01f ?Can you give me the source code for rooting ?

[ttlover201212]

iovyroot？？？

[dadreamer]

@ttlover201212 It's private. Please, could you explain what you're planning to do when you get root? Do you have enough experience with Android and Linux kernel, files, commands etc.? If you don't know how to override PXN and disable LSM then root is of no use to you.

[ttlover201212]

I know it's private,but I will apprecitate you if you give me some help! if I can get the root privileges,then I can do some further research. Because one of my friends works in a root team.

[ttlover201212]

if you do not want to share the sourcecode ,please tell me which direction shoud I spend more time to work.Iovy root???

[dadreamer]

@ttlover201212 As fi01 already said iovyroot won't work for 4.4.2. Do you have email or something to contact?

[ttlover201212]

This is my email:tlover11221@gmail.com

[komodo28]

how to root fujitsu f01f ?

[dadreamer]

@komodo28 If you're on Android 4.2.2 JellyBean (build # V32R63C), look for Dianxinos Superuser or KingRoot. If you're on Android 4.4.2 (build # V10R22A) - no way currently.

[komodo28]

Android 4.4.2 (build # V10R22A)

[cinubu11]

hi, i'm not expert at this, currently i have my f10f in Jellybean, is there any way to upgrade it to kitkat or even at least marshmallow? thx

[dadreamer]

@cinubu11 For KitKat upgrade you have to send the phone to Japan. That's the only way. Sadly, there are no way to upgrade to Lollipop, Marshmallow, Nougat, Oreo or Android P, because such updates were not released by Docomo.

[dadreamer]

@fi01 Just let you to know... I have tried HW rooting, but got no success with it. Here are the details: https://forum.xda-developers.com/showpost.php?p=77277502&postcount=7 So now the only hope is the software methods. Btw I wonder how to do SIM unlock, having root rights. Any ideas?

[DeuZLorD]

anyone can help? how to flashing fujitsu f-01f ? i can't boot EDL mode

[dadreamer]

This issue is closed, because F-01F (V10R22A) is rooted now using CVE-2017-8890 exp: https://github.com/dadreamer/CVE-2017-8890. I adapted the exp from thinkycx with some tricky ROP chain to overcome fjsec protection. The LSM and SELinux are still in place after the system restart, so it's a subject for bootloader unlocking and the system modification, but no progress is made for that yet.