Philip Rushik on 22 May 2018 04:27:54 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Hacking Tizen via microSD silliness


Hey everybody,

I have a weird phone, the Samsung Z1 (the first Tizen based phone). I would like to get root access to it, though because its not a common (in the US) phone, there are no prepackaged root exploits available for it.

I noticed that it does something weird with microSD cards though. It automounts the
file system when the card is inserted, but does not mount with nosuid or noexec flags. I thought this would make rooting it easy, but it turns out it does something much stupider to prevent me from inserting a suid root su or sh. To prevent using suid root programs from an SD card, the phone goes through the microSD card when it is mounted and rewrites the owner of all files (uid 1005 iirc). And yes, it does actually modify the card, not just treat all files as logically uid 1005.

My next thought was to make a microSD card shaped connector that attaches to an SD card, but with an FPGA in between, and the FPGA would pass through all reads, but intercept writes and just pretend they were successful. That way, the phone wouldn't be able to rewrite the owner and all suid executables would remain suid root when I tried to execute them, thus giving me root access.

However, this seems like it would be a big time/work investment, can anybody think of an easier solution?
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug