SamPWND (S8/S8+) v1.0

It seems like so long ago since the original SamPWND root for S8/S8+ was released!


It was mostly a team effort and countless hours of researching before it all came together.


This was prior to Sammy increasing security and was really the end of the "ENG" firmware era.


Sammy has since implemented security where you cannot mix/match binaries i.e. combo/user, eng/combo etc. etc. as well as anything other than stock user firmware now requires a "token". Also, ENG firmware is rarely ever seen in the wild nowadays as Sammy has also doubled down on leakers.


Back to SamPWND 1.0, on the S8 devices you could flash factory/combo firmware with a patched ODIN easily. Factory firmware included a permissive kernel which allowed for more potential exploits to be found.


Eventually we got our hands on ENG firmware. It wasnt easy to find a way to root since naturally we couldnt flash the boot/recovery images due to security measures which is essentially where root would have been straight forward.


We were able to flash combo then flash system.img from the ENG firmware. This was key because ENG system.img had an su binary by default. Due to more security however we couldnt execute su binary as is which was frustrating of course. We had permissive selinux and a su binary in front of us but still couldnt execute it to gain root privs.


Eventually it was found that we could use another binary called setsid to execute su which would create an unstable root shell. I do not know how or why this worked. Even chains himself was surprised it even worked at the time. All we cared about however was that it worked.


Game over! Not quite...


It quickly became frustrating because it was unstable, and was only a temp root at best and was only running in daemon mode (meaning apps couldn't use it for example.)


This did open it up for further research. We couldnt properly mount system or anything to install proper root still. We went back to the drawing board for a long time with no luck and almost to the point of giving up entirely.


Then we managed to try an old exploit that had long since been patched. We also were not sure why it still worked as it had been patched years prior but I assumed it was due to the nature of it being factory/eng firmware.


Either way, it was found that we could create a script and push root files to the device and use echo command to essentially write the root script into uevent_helper while using our temp/unstable root shell. uevent_helper would then instantaneously execute our root script (I assume as init/kernel) which was able to mount system and essentially allowed us to install system root.


From there Flashfire was mainly used to flash firmware or supersu.zip etc and it was game over from there and then SamPWND v1.0 was born!

68 views2 comments
 

623-252-4134

©2021 SamPWND & Extreme-Syndicate by elliwigy