qu1ckr00t
Introduction: A PoC application demonstrating the power of an Android kernel arbitrary R/W.
Tags:
A PoC application demonstrating the power of an Android kernel arbitrary R/W (CVE-2019-2215). Writeup: https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/
Qu1ckR00t is a PROOF OF CONCEPT. It should NOT be used on your personal device with valuable userdata. It has only been tested on a Pixel 2. Running it on any other device / kernel will likely lead to a crash or even data loss. DO NOT install extra Magisk environment files or upgrade Magisk if prompted as this will patch boot, breaking DM-Verity on next boot likely leading to data-loss when you need to reflash.
No prebuilt APKs are provided to avoid people messing up their device. Build and customize it to your specific device!
Notes
- The exploit for CVE-2019-2215 is at native/poc.c. Compile this with the Android NDK.
- Native binaries (Magisk + exploit) are bundled into the APK in app/src/main/res/raw. Add or replace these with device-specific code.
- The YOLO-installer™ for Magisk is at app/src/main/res/raw/magisk_install and has only been tested on a AArch64 Pixel 2 running Android Q. YMMV.
Limitations
- Magisk was never meant to be installed without a patched boot image
- Magisk install is core-mode only
- Magisk app SU notifications don't appear to be working due to the
requestintent not making it. I manually sent it during the SU timeout window using ADB and the command:am start -n APP_ID/a.m --user 0 -f 0x18000020 -a request --es socket SOCKET_ID, where APP_ID is the package name of the install magisk manager and SOCKET_ID is the listening socket of themagiskdaemon (found usinglsof | grep magisk | grep ' @'in a root shell)
