AutomatedRoot: update to version 7.0

Signed-off-by: R0rt1z2 <[email protected]>

.gitignore

@@ -1,6 +1,5 @@
-# mtk-su
-files/arm/mtk-su
-files/arm64/mtk-su
-
-# releases
-releases
+automated_root/files/arm/mtk-su
+automated_root/files/arm64/mtk-su
+automated_root/__pycache__
+devinfo.txt
+automated_root/utils/__pycache__

README.md

@@ -2,52 +2,37 @@
 ![GitHub](https://img.shields.io/github/license/R0rt1z2/AutomatedRoot)
 ![GitHub release (latest by date including pre-releases)](https://img.shields.io/github/v/release/R0rt1z2/AutomatedRoot?include_prereleases)
 ![GitHub All Releases](https://img.shields.io/github/downloads/R0rt1z2/AutomatedRoot/total)
-[![](https://img.shields.io/badge/maintained-yes-purple.svg)](https://github.com/R0rt1z2/AutomatedRoot)
+[![GitHub Maintained](https://img.shields.io/badge/maintained-yes-purple.svg)](https://github.com/R0rt1z2/AutomatedRoot)
 ![GitHub Issues](https://img.shields.io/bitbucket/issues-raw/R0rt1z2/AutomatedRoot?color=red)
 ![Github Contributors](https://img.shields.io/github/contributors/R0rt1z2/AutomatedRoot)
 
-Root MediaTek arm64 devices using `mtk-su` exploit (**CVE-2020-0069**).
+Root MediaTek devices using `mtk-su` exploit (**CVE-2020-0069**).
 
 ## Requirements
-* Python 3.X (with local path defined in windows).
-* ADB (with local path defined in windows).
-* `mtk-su` binary downloaded into the corresponding folder (`files/arm[64]`).
+* Python 3.9 or newer(in %PATH% for Windows).
+* ADB (in %PATH% for Windows).
+* The **CVE-2020-0069** PoC (`mtk-su`).
 
 ## Usage
-```bash
-./MTK-SU.sh # unix-based systems
-./MTK-SU.bat # windows-based systems
-```
+* Download the mtk-su binaries from the [MediaTek's SU XDA page](https://forum.xda-developers.com/t/amazing-temp-root-for-mediatek-armv8-2020-08-24.3922213/) and move them to their corresponding folders (`automated_root/files/arm[64]`).
+* Download the [latest release of the tool](https://github.com/R0rt1z2/AutomatedRoot/releases).
+* If you're using Windows, open a PowerShell. If you're using Linux open a Terminal.
+* Install the requirements with `pip3 install -r requirements.txt`.
+* Run the script with Python: `python3 mtk-su.py`.
 
 ## Available options
 1. Root the device. (system-mode + SuperSU).
-2. Unroot the device. (deleting su files and restoring original app_process).
-3. Root the device. (bootless-mode + Magisk).
-
-## Download
-* Tool downloads are available at: [AutomatedRoot's releases page](https://github.com/R0rt1z2/AutomatedRoot/releases).
-* `mtk-su` downloads are available at: [MediaTek's SU XDA page](https://forum.xda-developers.com/t/amazing-temp-root-for-mediatek-armv8-2020-08-24.3922213/).
-
-## Reporting bugs
-* If you find any bug create and report the issue [here](https://github.com/R0rt1z2/AutomatedRoot/issues).
-* Feel free to use [this template](https://github.com/R0rt1z2/AutomatedRoot/blob/master/files/assets/bugreport.md) to help me to find out what's going on. 
-
-## Special thanks
-* diplomatic (xda): the creator of the `mtk-su` exploit.
-* RYO Software: the creator of the Init.d Support App.
+2. Root the device. (bootless-mode + Magisk).
+3. Unroot the device. (supports both bootless and system mode).
 
 ## License
 * This tool is licensed under the GNU (v3) General Public License. See `LICENSE` for more details.
 * `files/common/Initd.apk` is property of RYO Software.
-* `files/common/Magisk.apk` is property of topjohnwu.
-* `files/common/SuperSU.apk` and `files/arm[64]` are property of chainfire.
-
-## Links of interest
-* https://blog.quarkslab.com/cve-2020-0069-autopsy-of-the-most-stable-mediatek-rootkit.html
-* https://source.android.com/security/bulletin/2020-03-01
-* https://www.xda-developers.com/mediatek-su-rootkit-exploit/
+* `files/common/Magisk.apk` and `files/arm[64]/magiskinit` are property of topjohnwu.
+* `files/common/SuperSU.apk` and `files/arm[64]/{libsupol.so,su,supolicy}` are property of Chainfire.
 
-## Repo Info
-![Github Stars](https://img.shields.io/github/stars/R0rt1z2/AutomatedRoot?style=social)
-![Github Watchers](https://img.shields.io/github/watchers/R0rt1z2/AutomatedRoot?style=social)
-![Github Forks](https://img.shields.io/github/forks/R0rt1z2/AutomatedRoot?style=social)
+## Special thanks
+* diplomatic (XDA): the creator of the `mtk-su` (CVE-2020-0069) exploit and the `magisk-boot.sh` script.
+* RYO Software: the creator of the Init.d Support App.
+* Chainfire: the creator of SuperSU (and its binaries).
+* topjohnwu: the creator of Magisk (and its binaries).

automated_root/__init__.py

@@ -0,0 +1 @@
+# ~.~

files/common/magisk-boot.sh → automated_root/files/common/magisk-boot.sh

@@ -138,9 +138,4 @@ newctx=${ctx/%:s0:*/:s0}
 export HOMEDIR
 echo "$SU_MINISCRIPT" | ./mtk-su -Z $newctx
 
-RESULT=$?
-logcat -c
-
-if [ $RESULT -eq 0 ]; then
-   log -p e -t suboot suboot finished
-fi
+log -p e -t suboot "retcode ${?}"

automated_root/files/common/magisk-root.sh

@@ -0,0 +1,30 @@
+#!/system/bin/sh
+
+CHECK="/data/local/tmp/.check"
+
+if [ "$(getprop ro.product.cpu.abi)" == "arm64-v8a" ]; 
+  then
+     ARCH="arm64"
+elif [ "$(getprop ro.product.cpu.abi)" == "armeabi-v7a" ]; 
+  then
+     ARCH="arm"
+fi
+
+mkdir -p {/sdcard/init.d,/sdcard/init.d/bin} > /dev/null 2>&1
+cp -r /data/local/tmp/magisk-boot.sh /sdcard/init.d/ > /dev/null 2>&1
+cp -r /data/local/tmp/${ARCH}/{mtk-su,magiskinit} /sdcard/init.d/bin > /dev/null 2>&1
+
+am start com.ryosoftware.initd/.PreferencesActivity > /dev/null 2>&1
+logcat | grep -E --line-buffered 'retcode 0' | while read line; do touch $CHECK; done &
+
+while [ 1 == 1 ]
+do
+   ls $CHECK > /dev/null 2>&1
+   if [ "$?" -eq 0 ]; then
+	  rm $CHECK; logcat -c; break
+   fi
+done
+
+am start com.topjohnwu.magisk/a.c > /dev/null 2>&1
+
+echo "All good"

automated_root/files/common/root.sh

@@ -0,0 +1,70 @@
+#!/system/bin/sh
+
+readlink -f /vendor | grep system > /dev/null 2>&1
+
+if [ $? -eq 1 ]; then
+   HAS_VENDOR="YES"
+fi
+
+if [ "$(getprop ro.product.cpu.abi)" == "arm64-v8a" ]; 
+  then
+     ARCH="arm64"
+elif [ "$(getprop ro.product.cpu.abi)" == "armeabi-v7a" ]; 
+  then
+     ARCH="arm"
+fi
+
+if [ "$HAS_VENDOR" -eq "YES" ]; then
+   cat /vendor/etc/fstab* 2>/dev/null | grep verify | grep system > /dev/null 2>&1
+   if [ $? -eq 0 ]; then
+       echo "Failed\nDevice uses dm-verity"
+       exit 1
+   else
+       cat /fstab* 2>/dev/null | grep verify | grep system > /dev/null 2>&1
+       if [ $? -eq 0 ]; then
+           echo "Failed\nDevice uses dm-verity"
+           exit 1
+       fi
+   fi
+else
+   cat /fstab* 2>/dev/null | grep verify | grep system > /dev/null 2>&1
+   if [ $? -eq 0 ]; then
+        echo "Failed\nDevice uses dm-verity"
+        exit 1
+   fi
+fi
+
+mount -o remount -rw /system > /dev/null 2>&1
+
+cp /system/bin/app_process /system/bin/app_process_original > /dev/null 2>&1
+cp /system/bin/app_process32 /system/bin/app_process_original32 > /dev/null 2>&1
+cp /system/bin/app_process64 /system/bin/app_process_original64 > /dev/null 2>&1
+
+if [ "$ARCH" == "arm64" ]; 
+  then
+    cp /data/local/tmp/arm64/su /system/xbin/su > /dev/null 2>&1
+    mv /data/local/tmp/arm64/su /system/xbin/daemonsu > /dev/null 2>&1
+    cp /data/local/tmp/arm64/supolicy /system/xbin/ > /dev/null 2>&1
+    cp /data/local/tmp/arm64/libsupol.so /system/lib/ > /dev/null 2>&1
+    cp /data/local/tmp/arm64/libsupol.so /system/lib64/ > /dev/null 2>&1
+elif [ "$ARCH" == "arm" ]; 
+  then
+    cp /data/local/tmp/arm/su /system/xbin/su > /dev/null 2>&1
+    mv /data/local/tmp/arm/su /system/xbin/daemonsu > /dev/null 2>&1
+    cp /data/local/tmp/arm/supolicy /system/xbin/ > /dev/null 2>&1
+    cp /data/local/tmp/arm/libsupol.so /system/lib/ > /dev/null 2>&1
+fi
+
+chmod 0755 /system/xbin/su  > /dev/null 2>&1
+chcon u:object_r:system_file:s0 /system/xbin/su  > /dev/null 2>&1
+chmod 0755 /system/xbin/daemonsu > /dev/null 2>&1
+chcon u:object_r:system_file:s0 /system/xbin/daemonsu  > /dev/null 2>&1
+
+daemonsu --auto-daemon  > /dev/null 2>&1
+
+rm -rf /data/local/tmp/${ARCH}  > /dev/null 2>&1
+rm /data/local/tmp/*.sh  > /dev/null 2>&1
+
+echo "All good"
+
+exit 0

automated_root/files/common/unroot.sh

@@ -0,0 +1,70 @@
+#!/system/bin/sh
+BOOLESS=1
+ROOT_FILES_64="
+system/xbin/su
+system/xbin/daemonsu
+system/xbin/supolicy
+system/lib/libsupol.so
+system/lib64/libsupol.so
+system/bin/app_process_init
+system/bin/app_process64
+system/bin/app_process"
+ROOT_FILES_32="
+system/xbin/su
+system/xbin/daemonsu
+system/xbin/supolicy
+system/lib/libsupol.so
+system/bin/app_process_init
+system/bin/app_process"
+
+if [ "$(getprop ro.product.cpu.abi)" == "arm64-v8a" ]; 
+  then
+     ARCH="arm64"
+elif [ "$(getprop ro.product.cpu.abi)" == "armeabi-v7a" ]; 
+  then
+     ARCH="arm"
+fi
+
+mount -o remount -rw /system
+if [ $? -eq 0 ] && [ ! -d "/sdcard/init.d" ]; then
+  if [ ! -f "/system/xbin/su" ];
+    then
+      echo "Failed\nDevice not rooted"
+      exit 1
+  fi
+
+  if [ "$ARCH" == "arm64" ]; 
+    then
+      rm $ROOT_FILES_64 > /dev/null 2>&1
+  elif [ "$ARCH" == "arm" ]; 
+    then
+      rm $ROOT_FILES_32 > /dev/null 2>&1
+  fi
+
+  if [ "$ARCH" == "arm64" ]; 
+    then
+     mv /system/bin/app_process_original32 /system/bin/app_process32 > /dev/null 2>&1
+     mv /system/bin/app_process_original64 /system/bin/app_process64 > /dev/null 2>&1
+     ln /system/bin/app_process64 /system/bin/app_process > /dev/null 2>&1
+  elif [ "$ARCH" == "arm" ]; 
+    then
+     mv /system/bin/app_process_original /system/bin/app_process > /dev/null 2>&1
+     mv /system/bin/app_process_original32 /system/bin/app_process32 > /dev/null 2>&1
+     ln /system/bin/app_process32 /system/bin/app_process > /dev/null 2>&1
+  fi
+
+  chcon u:object_r:zygote_exec:s0 /system/bin/app_process32 > /dev/null 2>&1
+  chcon u:object_r:system_file:s0 /system/bin/app_process > /dev/null 2>&1
+  chcon u:object_r:zygote_exec:s0 /system/bin/app_process64 > /dev/null 2>&1
+else
+  if [ ! -f "/sdcard/init.d/bin/mtk-su" ];
+    then
+      echo "Failed\nDevice not rooted"
+      exit 1
+  else
+    rm -rf /sdcard/init.d > /dev/null 2>&1
+  fi
+fi
+
+echo "All good"
+exit 0

automated_root/utils/__init__.py

@@ -0,0 +1 @@
+# ~.~

automated_root/utils/config.py

@@ -0,0 +1,47 @@
+import os
+
+VERSION = "v7.0\n"
+BANNER = """
+     _____     _                 _         _ _____         _   
+    |  _  |_ _| |_ ___ _____ ___| |_ ___ _| | __  |___ ___| |_ 
+    |     | | |  _| . |     | .'|  _| -_| . |    -| . | . |  _|
+    |__|__|___|_| |___|_|_|_|__,|_| |___|___|__|__|___|___|_|  """
+
+# Current supported SoCs/ARCHs (by mtk-su)
+REGIDX_ARCH = ["arm", "arm64"]
+REGIDX_CPU = "(mt67|mt816|mt817|mt6580|mt6595)\s?(.*)"
+
+# Menu options
+MENU_OPTIONS = """
+    -> 1. Root the device (system-mode).
+    -> 2. Root the device (bootless-mode).
+    -> 3. Unroot the device.
+    -> 4. Exit the tool.
+"""
+
+# Magisk Root (manual instructions)
+MAGISK_INST = """[I]: Once the Init.d support app pops up, accept its terms and allow it to access media:
+    -> Set 'Run scripts on boot time' to CHECKED.
+    -> Set 'Execution delay' to NO DELAY.
+    -> Set 'Selected folder' to init.d folder located in the Internal Storage.
+    -> Click on 'Run scripts now' and watch the ad to unlock the feature. (Support the developer!)."""
+
+# Clean CMD
+CLEAN = ("cls" if os.name == "nt" else "clear")
+
+# List of properties dumped by the script (debug)
+REGIDX_PROP = {
+    "ro.product.model": "Model",
+    "ro.build.version.release": "Android Version",
+    "ro.product.manufacturer": "Product Manufracturer",
+    "ro.build.version.security_patch": "Security Patch"
+}
+
+# ADB (default) client IP
+DEFAULT_IP = "127.0.0.1"
+
+# Wheter mtk-su binaries are present
+mtk_su = False
+
+# Result patterns from mtk-su
+RESULT_PATTERN = "(All good|This firmware cannot be supported|Firmware support not implemented|Incompatible platform|permission denied)\s?(.*)"