search

timwr / CVE-2016-5195

CVE-2016-5195 (dirtycow/dirtyc0w) proof of concept for Android
959 stars 395 forks source link

dirycowing recovery on samsung, what will happen for KNOX? #40

Open galagala4 opened 7 years ago

galagala4 commented 7 years ago

I have Samsung phone with Android 6.0.1, and it still have Knox warranty, and my goal is to keep KNOX.

I just checked that dirtycow will work on my phone. I also found that there are couple of /system/bin/fsck.* with read permission. I'm pretty sure they are executed as root and seems I'm able to trigger them at a will (sd-card or usb-otg). And they are pretty big. Perfect targets then.

BUT my question: What to do next? For my model there are twrp available. So could I do: dd if=twrp.img of=/dev/block/platform/by-name/RECOVERY

What KNOX will say about that? Then I could boot to twrp and install superSu.zip, and what KNOX will say about that?

My phone has (developer-) option for allowing/disallowing flashing. I think flashing must be enabled. Not because of dd, but for booting with non-samsung recovery-image.

(I think that after using dirtycow I cant just install superSu.apk because of dirty cache so hence changing recovery).

refi64 commented 7 years ago

If your phone has a locked bootloader, you run the risk of either bricking it or your changes not staying.

If you're positive that your bootloader is unlocked, you can use android_external_dirtycow.

However, flashing a custom recovery or ROM will trigger Knox.

IMO, you might be better off just rooting normally and then using Triangle Away to reset the counter. If you're on T-Mobile and are paying for handset protection, they don't care about the Knox counter, too.

galagala4 commented 7 years ago

It has open bootloader.

I think I don't even need android_external_dirtycow (recowvery), because fsck has needed selinux permissions to write blockdevice.

I know for sure that flashing non-signed recovery for samsung phone with e.g. ODIN will trigger Knox. My question is what happens if I'm not flashing but writing directly with dd.

TriangleAway is for older phones, which just count how many times it is flashed. Knox bit can't reverted back. From official documentation: https://www.samsungknox.com/en/qa/what-knox-warranty-bit-and-how-it-triggered

It is a one-time programmable bit e-fuse, which can only be turned from 0X0 to 0X1 (i.e. burned).

In this context what you mean by "rooting normally"? I think Samsung phones are 'normally rooted' by ripping Knox, installing custom recovery, installing superSU. And my goal this time is to not rip Knox.

droidvoider commented 7 years ago

galagala4 I'm working on the same thing is you. I don't understand github too well on following issues or communicating but contact me somehow, gmail with this name or on xda. Let's pull our resources