Project Wallace - autonomous rooting method

[Luxferre]

Hi folks,

Here's a noir-style rooting app that was tested to work on both Nokia 8110 4G TA-1048 with v16 firmware and Alcatel OT-4044D with KaiOS 1.0. It also has the potential to work on the phones without busybox, since it carries its own unzip binary and uses its own resource loader function. So, despite rooting, this is also a testbed for sandbox escaping (at least for an app with "certified" permission).

Download link

Download Wallace 0.1: https://cloud.disroot.org/s/CzkyYi4JancRJNX/download

(SHA256: abc4b5f20b3f6ace709e95560db728ce36783c78dcba49d346cbc2d1eec29bb3)

How to install

After you enter the developer/debug mode, Wallace app can be installed the same way OmniSD could be installed:

- via WebIDE of old Firefox/Pale Moon/NewMoon and adb forward tcp:6000 localfilesystem:/data/local/debugger-socket command,

or

- via make-kaios-install (xpcshell) method by jkelol111.

How to use

Just press the central D-pad key and wait until Niander Wallace silhouette fully comes up. Then your ADB shell is rooted until the next reboot.

There's also a (usual) "secret" feature of privileged factory reset (with confirmation prompt, of course) if you press # instead of central key.

How it works

General flow is as follows:

1. First fitting master extension is selected depending on the platform (choice is done among engmodeExtension, jrdExtension and kaiosExtension);

2. Resource loader (see below) method is called to fetch "unzip" binary from the app resources into /data/local/tmp/unzip;

3. With the help of selected master extension startUniversalCommand method, a concatenated command is run to:

- stop adbd service;

- move the unzip binary from /data/local/tmp/unzip to /sbin/unzip and adjust its permissions (since /sbin structure is volatile until next reboot);

- run the unzip command against the local application package to extract adbd binary to /sbin;

- adjust the new /sbin/adbd permissions and start the adbd service again;

- remove leftover folder from primary storage if it's empty.

How resource loader method works

This is the most interesting part in this app. Resource loader uses the fact that main storage (used by B2G API method navigator.getDeviceStorage("sdcard")) can always be referred to as /storage/self/primary/ in the actual FS tree. The only issue is that in some cases (for instance, on 8110 v16 without SD card) the actual storage is mounted onto /storage/self/primary/0 but, due to some bug, the root of B2G "sdcard" storage handle still refers to  /storage/self/primary/ itself, so attempts to write to the root result in DOM error. Hence, the logic of the loader method is as follows:

1. Shape the XHR with "application/octet-stream" content type and "blob" response type to fetch the necessary resource file. If succeeded, go to the next step, if not, return operation error.

2. Retreive the storage handle with navigator.getDeviceStorage("sdcard") and try writing the resulting blob to 0/tmpbin.bin file (relative to the B2G storage root, not physical location). On success, go to the next step, otherwise return operation error.

3. With the help of selected master extension startUniversalCommand method, run the command to move the file (found with the find command within the /storage/self/primary/ tree, because its location might be either /storage/self/primary/tmpbin.bin or /storage/self/primary/0/tmpbin.bin) to the target location. Return operation success.

So, now that you know what it is and how it all works, feel free to test it out on different configurations (for instance, v13 etc).

Have fun!

P.S. If you don't know who Niander Wallace is, don't worry... Just watch Blade Runner 2049 and you'll find out. ;)

[ProgrammAbel]

Works well on TA-1059 too!

[Luxferre]

Troubleshooting: if you get NoModificationAllowedError, then try removing the leftover tmpbin.bin file:

adb shell rm /storage/self/primary/0/tmpbin.bin

And then reboot with adb reboot and try again.

[Luxferre]

If you still have any issues with Wallace project regarding the new resource loader functionality, here's a "lite" version that uses busybox unzip instead (and obviously works on the devices with Busybox only - 8110 and Alcatels being among them).

Download here: https://cloud.disroot.org/s/mAYgjLb9398WfxJ/download
(SHA256: c48884412e6defcc273f2a95835954bfa7b5381faf2ac5218c8c1457ab111066)

[Huy Minh Bui]

This root method doesn't touch the system partitions right ??

[Luxferre]

It doesn't. It's temporary and works only until the reboot.

[Luxferre]

Wallace Lite updated to 0.2!

https://cloud.disroot.org/s/bYR8j3qc2LPR35e/download

SHA256: beb87abf07926b50fbb35a029322ed552166d628909fd74a51681d279f96a9f5

I never thought any changes would be required for this rooting utility. But the change here is very useful, at least for me: now pressing # takes you to privileged reset, but also pressing * takes you to Qualcomm diagnostics port. This is crucial on Nokias 2720 Flip and 800 Tough, because even privileged reset doesn't allow you to run the ###2324# code, because now all the "privileged" codes are dependent upon ro.build.type system property (which doesn't change even after privileged reset), and if this property is set to "user", these codes just refuse to work. So, I directly took the code snippet that changes the ums.enabled hidden setting alongside the setprop directives, and placed it into Wallace Lite. Enjoy.

P.S. Now that I understand the mechanics a bit better, probably the utility will evolve into distro-agnostic "toolbox" common to all Qualcomm-based KaiOS devices. Stay tuned!

[Luxferre]

So, actually it turns out that we don't need ###2324# code since diag mode is enabled by default in 2720/800T when mass storage mode is turned off in settings but this is not an obvious behavior anyway, so an explicit switch would still be nice.

By the way, I'm now collecting all the elementary hacks into a single LibWallace JS library which would then be released into public domain.

[Luxferre]

And here it is: https://gist.github.com/plugnburn/00fa61006513cdb0a12adf61a6e425e1

All the methods and required permissions are documented. Use like Wallace.reboot() and so on.

[Luxferre]

Just for your information, folks, LibWallace has been updated to version 0.4. Now, besides IMEI, we can programmatically manipulate MAC addresses for Bluetooth and WLAN (on Nokias only though).

The new methods are generateRandomMAC, setNokiaBluetoothMAC and setNokiaWlanMAC. Tested on 800 Tough - work as expected. You can use vendor prefixes for generation, use colon-separated or just plain hex MACs.

Also, did I already mention the enableCallRecording method which should work on any 2.5.2 device?

As LibWallace is public domain, feel free to use it in your own projects: https://gist.github.com/plugnburn/00fa61006513cdb0a12adf61a6e425e1

[perry]

Luxferre thank you for the update!

Can I publish it on the bHackerStore repo?

[Luxferre]

Sure, but it's just a library, not a ready-made application.

I'm now thinking of what could be better - update Wallace Toolbox or offload all identity manipulation into a separate app...

[Luxferre]

LibWallace updated to the version 0.5: https://gist.github.com/plugnburn/00fa61006513cdb0a12adf61a6e425e1

Introduced the setMtkIMEI method, working, for instance, on sKai with engmode-extension and external-api manifest permissions.

[DJ Dynamix]

Hi. Can this be done if I do not have linux but a windows 7 PC? Thanks

[Scott Zhao]

HI,

 

If you just need to root your phone with Wallace Tools, Windows 7  is OK, use Firefox or Palemoon, in WebIde mode, you can install Wallace Tools

--
You received this message because you are subscribed to the Google Groups "comp.mobile.nokia.8110" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bananahacker...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bananahackers/9590715a-2b9b-4e33-9082-c0dcf75008cdo%40googlegroups.com.