Database Develop

[AOSP] sepolicy patch for Marshmallow ROMs

After a bit of tinkering and some insight from Chainfire and imoseyon i was finally able to get SuperSU working on AOSP roms without being permissive or having to use Chainfire's prebuilt sepolicy
sepolicy patch is here: https://github.com/PureNexusProject...mmit/0f5072de4580a5db7348917e77e4c1c35d3e3c1a

Stickied.

sorry to be that guy, but how does this affect the average joe?
does it mean theres going to be a new version of supersu with this or does this mean that custom rom makers can use this patch to make there roms not need the the custom boot.img?

WarningHPB said:
sorry to be that guy, but how does this affect the average joe?
Click to expand...
Click to collapse
It doesn't, this is for ROM devs only, they know what to do with this.

Chainfire said:
It doesn't, this is for ROM devs only, they know what to do with this.
Click to expand...
Click to collapse
Welcome back! Hope you had a good break.

Chainfire said:
Stickied.
Click to expand...
Click to collapse
Thanks after including this in my AOSP builds i have noticed a few things, certain "root" app still dont function and get selinux denials. i originally had noticed this with logcat extreme. i was getting read and write denials on logd so i did an audit2allow on my sepolicy and came up with the following allow
Code:
#============= logd ==============
allow logd init:fifo_file { read write };
i did a quick google search on this and came up with https://gist.github.com/poliva/fc5b7402bde74be27518 which is apparently an sediff of your sepolicy, which is heavily modified beyond just what i had for supersu to work in enforcing for aosp roms. so i guess my real question is do us "AOSP" devs have to update our sepolicys with these 300+ additions to get all current root apps working or is this something that you can overcome in an update to SuperSU.
thanks in advance :good:

BeansTown106 said:
Thanks after including this in my AOSP builds i have noticed a few things, certain "root" app still dont function and get selinux denials. i originally had noticed this with logcat extreme. i was getting read and write denials on logd so i did an audit2allow on my sepolicy and came up with the following allow
Code:
#============= logd ==============
allow logd init:fifo_file { read write };
i did a quick google search on this and came up with https://gist.github.com/poliva/fc5b7402bde74be27518 which is apparently an sediff of your sepolicy, which is heavily modified beyond just what i had for supersu to work in enforcing for aosp roms. so i guess my real question is do us "AOSP" devs have to update our sepolicys with these 300+ additions to get all current root apps working or is this something that you can overcome in an update to SuperSU.
thanks in advance :good:
Click to expand...
Click to collapse
There is no such thing now as "all current root apps working".
If SuperSU's deamon can be launched, and it can in turn launch the supolicy tool, most of the rules from the diff will be modified by SuperSU as needed.
What your patch needs to do (and you have already done) is make sure SuperSU can be launched in the right context, and can modify the sepolicy. You do not need to implement those 300+ additions - it will be done at boot automagically.
As for those additions themselves, they are primarily needed to:
- make sure SuperSU can work, internal communications between the different processes and such
- make processes running as the "init" context (where root apps run by default) as powerful as possible
- specifically "allow" a number of things that would otherwise still work, but would be logged (everything that starts with "allow init" or "allow recovery")
Now, even with the above, still not everything works out of the box. Everything that goes from "init" to "non-init" context should already work, but going from "non-init" context to "init" may not. In your example case, we go from "logd" to "init", which isn't specifically allowed. Often apps can be fixed to work around an issue such as this.
Generally speaking, the solution is not to fix the source sepolicy or the supolicy tool, the solution is for the "logcat extreme" app to run the following at launch (as documented in How-To SU):
Code:
supolicy --live "allow logd init fifo_file { read write }"
In this specific case, maybe it could be added to supolicy, it depends on what exactly generates the audit. If it's a simple logcat command, it's a candidate for inclusion. The problem might even be solved by switching contexts rather than modifying any SELinux policies. But that is something for the app developer to figure out.
In either case, it is not something you need to fix in the AOSP patches. Those already do what they need to do.
Since they started doing SELinux Enforcing though, the policies in AOSP have generally been a tad stricter than on retail devices (this was specifically the case during 4.4 days). This may lead to you sometimes having to add/remove a rule manually somewhere that was not added to SuperSU yet. It could happen, but it's unlikely, probably temporary, and it probably should not go into this AOSP patch.
A note on pof's sediff, I'm not sure it was done cleanly, as I see some modifications in there that are not done by supolicy. Either way, such a post is informative, not leading, as supolicy may do more or less modifications depending on various runtime variables (such as Android version). Additionally, due to context names and availabilities changing between Android versions, any rule modification referencing a context not available in the to-be-patched sepolicy will not be applied, and thus will not show up in an sediff.

@BeansTown106
Have you checked by any chance if this patch is enough to allow 2.61 (systemless) to work still ?

Chainfire said:
@BeansTown106
Have you checked by any chance if this patch is enough to allow 2.61 (systemless) to work still ?
Click to expand...
Click to collapse
thanks for the description above now i understand. have never developed a root app so i had not read that part of how to su, but it makes perfect sense that the root apps would handle the denials live via your supolicy
as for system less root i have not tried that yet but i will give it a shot tonight, and report back, i know some people in my ROM thread have used system less root. but i am not sure if you had packaged your sepolicy in the install script for 2.61+ and if it is overwriting mine in the kernel, if that is the case i will modify the installation to not patch the sepolicy and see if it works with my pre compiled one based on the source above

Starting 2.64, I think this addition to init.te is all that is needed:
Code:
allow init kernel:security load_policy;
Confirmation needed though. The original patch will also work with 2.64, and the ZIP installer should default to /system installation mode.
Of course, this also requires that /system isn't verified by dm-verity, and init reloads sepolicy from the standard /data/security/current location.

the link in OP its no longer working...
Also in CM13 tree we have:
Code:
# Reload policy upon setprop selinux.reload_policy 1.
# Note: this requires the following allow rule
# allow init kernel:security load_policy;
and over my builds have no problem with SuperSU system less...

Chainfire said:
Starting 2.64, I think this addition to init.te is all that is needed:
Code:
allow init kernel:security load_policy;
Confirmation needed though. The original patch will also work with 2.64, and the ZIP installer should default to /system installation mode.
Of course, this also requires that /system isn't verified by dm-verity, and init reloads sepolicy from the standard /data/security/current location.
Click to expand...
Click to collapse
will build and test with only load policy enabled, is this for system, and systemless root?
danieldmm said:
the link in OP its no longer working...
Also in CM13 tree we have:
Code:
# Reload policy upon setprop selinux.reload_policy 1.
# Note: this requires the following allow rule
# allow init kernel:security load_policy;
and over my builds have no problem with SuperSU system less...
Click to expand...
Click to collapse
updated link, so your saying systemless supersu works with no selinux modifications?

BeansTown106 said:
updated link, so your saying systemless supersu works with no selinux modifications?
Click to expand...
Click to collapse
Over my builds yes, no issues at all in cm13, although my kernel it's in permissive mode. Maybe it's why it works all good?
Enviado do meu A0001 através de Tapatalk

danieldmm said:
Over my builds yes, no issues at all in cm13, although my kernel it's in permissive mode. Maybe it's why it works all good?
Enviado do meu A0001 através de Tapatalk
Click to expand...
Click to collapse
that is why, these patchs are to allow you to run in enforcing

I dont know if a should post here this question: there is any way to fix this problem with the rom already installed?
Thanks

Garzla said:
I dont know if a should post here this question: there is any way to fix this problem with the rom already installed?
Thanks
Click to expand...
Click to collapse
Try the following. It works for me when needed...
http://forum.xda-developers.com/showthread.php?t=3574688

Thank you for your work!

Link in OP its no longer working...
Is there any actual guide how to add SU directly to AOSP build. I have found bits and pieces but those are mainly 4.x releases.
I'm using Android M release and quite much struggling to get it working.

I have tried to make SU default on AOSP 6.0 by using this guide.
http://forum.khadas.com/t/gapps-and-su-on-soc/118/3
I'm using user build and enabled selinux permissive on that.
i have made also ro.secure=0 ro.debuggable=1 and security.perf_harden=0 (Not sure if needed)
I have also modified to change the su permissions in fs_config.c
I managed to get this work so that when flashing rom SuperSu ask for updating su binary and after that su works.
but i then cleaned work area to verify build by deleting out dir and recompiled. No go anymore.
Why it's so hard to add su by default on AOSP rom. I woud like to have it by default so i would not need to do any tricks everytime i flash new rom.

It reminds me of Korean dramas ,

[MODULE] Debugging modules: ADB Root, SELinux Permissive, Enable Eng

These modules are not meant for everyday use. They are intended for debugging and modification of a firmware. They significantly lower security of your device while active and even could softbrick it. You've been warned.
ADB Root
Magisk Module that allows you to run "adb root". adb root is not an ordinary root (su), it's adbd daemon running on your phone with root rights. adb root allows you to "adb push/pull" to system directories and run such commands as "adb remount" or "adb disable-verify".
Download v1.0: https://github.com/evdenis/adb_root/releases/download/v1.0/adb_root.zip
Source code: https://github.com/evdenis/adb_root
Support: Telegram
SELinux Permissive
This module switches SELinux to permissive mode during boot process. This module intentionally lowers security settings of your phone. Please don't use it if there is a better solution to your problem, e.g., magiskpolicy. The module will not work if your kernel compiled with always enforcing config, e.g., stock samsung kernels. It's not possible to enable permissive mode on such kernels.
Download v2.0: https://github.com/evdenis/selinux_permissive/releases/download/v2.0/selinux_permissive_v2.0.zip
Source code: https://github.com/evdenis/selinux_permissive
Support: Telegram
Enable Eng
This Magisk Module enables engineering build props. It allows to activate debugging parts of a firmware. Please, disable Magisk Hide for this module. If you don't know what you are doing, don't use this module. It can easily softbrick your device.
Troubleshooting
If your device doesn't boot then you need to reboot to TWRP recovery and
Code:
$ adb shell rm -fr /data/adb/modules/enable_eng
If ADB doesn't work that means adbd in your firmware is build without ALLOW_ADBD_ROOT. You can fix adb autostart either by installing "ADB Root" magisk module or by disabling this module.
Download v1.0: https://github.com/evdenis/enable_eng/releases/download/v1.0/enable_eng.zip
Source code: https://github.com/evdenis/enable_eng
Support: Telegram
Kexec tools for Android
This module adds statically linked kexec binary to your system. Aarch64 only. Kexec is a system call that enables you to load and boot into another kernel from the currently running kernel. Your kernel should support kexec.
Download v1.0: https://github.com/evdenis/kexec/releases/download/v1.0/kexec.zip
Source code: https://github.com/evdenis/kexec
Support: Telegram
GDISK/Parted for Android
The module adds statically linked parted/sfdisk/fdisk/gdisk binaries to your system. Aarch64 only. These utils are standard linux tools to edit the partitions tables on disks.
Download v2.0: https://github.com/evdenis/disk/releases/download/v2.0/disk-v2.0.zip
Source code: https://github.com/evdenis/disk
Support: Telegram

Is also valid for One Plus 5 ?
Inviato dal mio ONEPLUS A5000 utilizzando Tapatalk

tmviet said:
Is also valid for One Plus 5 ?
Click to expand...
Click to collapse
Hi, these magisk modules are device independent. Yes, you can use them on One Plus 5.

evdenis said:
Hi, these magisk modules are device independent. Yes, you can use them on One Plus 5.
Click to expand...
Click to collapse
Tks. A lot [emoji6]
Inviato dal mio ONEPLUS A5000 utilizzando Tapatalk

Thanks @evdenis, this module is great! I haven't gotten the 100% desired behavior (getting adbd with actual root perms) because I'm running a 32-bit architecture (armeabi-v7a) and you've supplied only the 64-bit version of adbd, but I've been using your module to swap out 32-bit versions of different versions of adbd I have lying around (older devices). I'm a n00b when it comes to building adbd from scratch using the latest sources with your patch so I'm planning on using the adbd that came with the device and using a disassembler and a hexeditor to NOP out some calls, such as the call to minijail_enter() and see if I have any success. The original device version of adbd doesn't seem to have the functions in it that you built with the patch, but instead appears to use a bunch of minijail library functions. The device is a rooted android 8.1.0 OS, but it is only rooted systemlessly so many of the ro.* build properties affecting adb are changed well after the OS-essential portion boots rendering my efforts thus-far using the original adbd ineffective I'm guessing. I can now issue the "adb root" command from my machine, but adbd on the device is always being launched with the following command line arg "--root_seclabel=u:r:su:s0" and never gains root permissions by default (the behavior I'm trying to achieve). I can manually use "su" but this doesn't help me with push/pull requests to protected parts of the OS and chainfire's "ADB Insecure" patches adbd successfully, but I still don't get the root perms.
Do you know if the system is starting the process with reduced permissions (i.e. adbd will never be able to gain root access on its own no matter what I modify) and I should go a different route like modifying something else in the system rather than adbd? Again, I've already modified the ro.* properties affecting adbd so it does attempt to re-launch itself as root, it just doesn't end up getting the root perms. Manually launching adbd after killing it from within a shell on the device doesn't seem to affect the permissions in ultimately gets.
If you are anyone has any insight as to what I need to do so that adbd gains root permission, that would be much appreciated.

bpaxda said:
I'm planning on using the adbd that came with the device and using a disassembler and a hexeditor to NOP out some calls, such as the call to minijail_enter() and see if I have any success.
Click to expand...
Click to collapse
It was my initial attempt to gain "adb root" on samsung s10. And noping a couple of calls is not enough on the phone. adbd binary on your device could be compiled without "adb root" branch. This is the case on samsung s10. If "adb root" branch exists one need to force should_drop_privileges() function to return false (https://android.googlesource.com/platform/system/core/+/refs/heads/master/adb/daemon/main.cpp#65) in order to get into the "adb root" branch of code (https://android.googlesource.com/platform/system/core/+/refs/heads/master/adb/daemon/main.cpp#151).
bpaxda said:
ro.* build properties affecting adb are changed well after the OS-essential portion boots rendering my efforts thus-far using the original adbd ineffective I'm guessing.
Click to expand...
Click to collapse
You could try enable_eng magisk module (https://github.com/evdenis/enable_eng). The module changes ro.* props to engineering build props. Depending on a firmware this could help to get "adb root". However, no guaranties that the module will not softbrick your device. In case of softbrick you will need to reboot to TWRP and delete the module, instruction is in the README.md.
bpaxda said:
I can now issue the "adb root" command from my machine, but adbd on the device is always being launched with the following command line arg "--root_seclabel=u:r:su:s0" and never gains root permissions by default (the behavior I'm trying to achieve).
Click to expand...
Click to collapse
Try to disable SELinux either with the magisk module or with a script.

Thanks for your response.
I think you're right. Despite having adjusted the ro properties post-boot, there was nothing in ADB that would change the privileges as if it has been compiled out. By sheer luck, I managed to grab adbd from an identical device that had a recent forced firmware update, but the "improved adbd" actually let me get closer. The updated adbd had code changes to its adbd_main function so that it at least looks at the properties "ro.secure" and "service.adb.root" not to mention new calls to minijail_capbset_drop(), minijail_change_gid() and minijail_change_uid(). Using magisk to dynamically replace my original adbd binary with this updated one actually worked in getting adbd to start root shells without needing to invoke "su"!
However its a weird type of root that can't read certain files like /verity_key but I can see some things I should be able to see as root. I'm no SELinux expert, but my guess is that if everything is functioning correctly, I may be getting an SELinux "restricted" root. In this case, it might be the most I can expect from an SELinux enabled kernel launching adbd as root. Let me explain: since I'm using Magisk, post-boot systemlessly, (the system boots restricted and then I use the mtk_su exploit, to gain root and disable permissive SELinux mode), I'm getting permissive root on a session by session basis. I think the nature of this type of root means the kernel is probably still locked down and thus whatever daemon may be responsible for launching adbd remains locked down. Does this sound correct to you? If so, I can live with that
I'd love to get TWRP on this device, but I'm not sure its possible since TWRP doesn't list my device as supported on their website nor can I get into fastboot mode (I didn't try that hard because I wanted to exhaust other options before flashing anything). Do you think enable_eng would work *after* the ACTION_BOOT_COMPLETE event is processed? I.e. my device is rooted after bootup by a script which runs the exploit, but it is well after the system is fully running and locked-down. Luckily Magisk has a utility to change ro properties, but some of those properties are not looked-at by the system this late in the boot stage. Do you think in this case "enable_eng" would work for me? Thanks again!

bpaxda said:
Let me explain: since I'm using Magisk, post-boot systemlessly, (the system boots restricted and then I use the mtk_su exploit, to gain root and disable permissive SELinux mode), I'm getting permissive root on a session by session basis.
Click to expand...
Click to collapse
I'm not sure that my modules will work with this rooting scenario. As far as I could understand, magisk by default replaces the init process, patches selinux policy before it is loaded and next, calls the original init binary. I don't think that it will be possible to alter selinux policy with different boot scenario for magisk.
bpaxda said:
Do you think enable_eng would work *after* the ACTION_BOOT_COMPLETE event is processed? I.e. my device is rooted after bootup by a script which runs the exploit, but it is well after the system is fully running and locked-down. Luckily Magisk has a utility to change ro properties, but some of those properties are not looked-at by the system this late in the boot stage. Do you think in this case "enable_eng" would work for me?
Click to expand...
Click to collapse
I'm not sure that enable_eng will work. adbd daemon check some properties such as ro.secure dynamically, but they could be cached after the boot. I don't know the ways to drop the cache and re-read these properties (altered with magisk) after the boot. Here are the main properties the modules changes https://github.com/evdenis/enable_eng/blob/master/system.prop

Thanks for making this tool! I'm just wondering if I need to modify my adb to use the module - I run "adb root" normally and get "adbd cannot run as root in production builds" still

Anyone know why when i install SELinux Permissive version 2.0 of the module it still states version 1 in Magisk?

I flashed this in Magisk and rebooted. Now my phone is stuck in a boot loop. Any ideas? I'm using Sony Xperia XZ1 compact.

cheeklitched said:
I flashed this in Magisk and rebooted. Now my phone is stuck in a boot loop. Any ideas? I'm using Sony Xperia XZ1 compact.
Click to expand...
Click to collapse
If you have twrp installed just uninstall and reinstall magisk.
Otherwise,
Boot to bootloader and flash your boot.img file
Code:
fastboot flash boot boot.img
Then let phone boot. Reboot to bootloader again. Flash magisk_patched.img
Code:
fastboot flash boot magisk_patched.img
During startup, as soon as you get to the Google logo, hold the volume button down. This should start the phone in safe mode. See if it loads. If not, reboot phone, and execute this in terminal/command prompt:
Code:
adb wait-for-device shell magisk --remove-modules
This should allow the phone to start up all the way. Enable whatever modules you want. You may need to flash magisk_patched.img again.
This has fixed multiple problems for me. It's redundant, but it tends to work.

I installed the Magisk selinux script, but after installing it no longer shows in Magisk, so how do I dissable/undo/uninstall the script? I installed a Selinux checker and it says it is on permissive, so the scrip must have installed, but I want to remove it. Is there an undo script, or can I manually delete the script in my root filesystem? THX

Hello guys
I used Redmi K20 pro with Eu rom 10.4, android 10.
I used the lastest version of this module but my devices was not found on ADB system on my computer.
So what I do now? I tried to fix it but I cannot find anything about it.

Recently, setting SElinux to permissive is not advised. I had a issue with V4A setting my SElinux to permissive permenantly, but editing the magisk module to set SElinux to enforcing instead of permissive also works.
This is probs the only module that actually sets SElinux properly.
Here's the modded magisk module with the same credited creator, but just sets SElinux to Enforcing instead of permissive

OMFG I THINK THIS IS WHAT IVE BEEN LOOKING FOR. TEH HOLY GRAILLLLL OMGOMGOMG THANK YOU THANK YOU THANK YOUUUUU

Will ADB Root work for Android 8.1?

evdenis said:
These modules are not meant for everyday use. They are intended for debugging and modification of a firmware. They significantly lower security of your device while active and even could softbrick it. You've been warned.
ADB Root
Magisk Module that allows you to run "adb root". adb root is not an ordinary root (su), it's adbd daemon running on your phone with root rights. adb root allows you to "adb push/pull" to system directories and run such commands as "adb remount" or "adb disable-verify".
Download v1.0: https://github.com/evdenis/adb_root/releases/download/v1.0/adb_root.zip
Source code: https://github.com/evdenis/adb_root
Support: Telegram
SELinux Permissive
This module switches SELinux to permissive mode during boot process. This module intentionally lowers security settings of your phone. Please don't use it if there is a better solution to your problem, e.g., magiskpolicy. The module will not work if your kernel compiled with always enforcing config, e.g., stock samsung kernels. It's not possible to enable permissive mode on such kernels.
Download v2.0: https://github.com/evdenis/selinux_permissive/releases/download/v2.0/selinux_permissive_v2.0.zip
Source code: https://github.com/evdenis/selinux_permissive
Support: Telegram
Enable Eng
This Magisk Module enables engineering build props. It allows to activate debugging parts of a firmware. Please, disable Magisk Hide for this module. If you don't know what you are doing, don't use this module. It can easily softbrick your device.
Troubleshooting
If your device doesn't boot then you need to reboot to TWRP recovery and
Code:
$ adb shell rm -fr /data/adb/modules/enable_eng
If ADB doesn't work that means adbd in your firmware is build without ALLOW_ADBD_ROOT. You can fix adb autostart either by installing "ADB Root" magisk module or by disabling this module.
Download v1.0: https://github.com/evdenis/enable_eng/releases/download/v1.0/enable_eng.zip
Source code: https://github.com/evdenis/enable_eng
Support: Telegram
Kexec tools for Android
This module adds statically linked kexec binary to your system. Aarch64 only. Kexec is a system call that enables you to load and boot into another kernel from the currently running kernel. Your kernel should support kexec.
Download v1.0: https://github.com/evdenis/kexec/releases/download/v1.0/kexec.zip
Source code: https://github.com/evdenis/kexec
Support: Telegram
GDISK/Parted for Android
The module adds statically linked parted/sfdisk/fdisk/gdisk binaries to your system. Aarch64 only. These utils are standard linux tools to edit the partitions tables on disks.
Download v2.0: https://github.com/evdenis/disk/releases/download/v2.0/disk-v2.0.zip
Source code: https://github.com/evdenis/disk
Support: Telegram
Click to expand...
Click to collapse
how can i make permissive enfocing because in 2022 i heard thats a BIG security risk and my custom ROM (havoc os) if selinux permissive

[Kernel]Kali-NetHunter kernel Pixel 3a and 3a XL sargo/bonito[Kernel]

{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
WITH GREAT POWER COMES GREAT RESPONSIBILITY............
Please use kernel responsibly and respect the rights of others including and especially privacy!
The mad tech clown is back with another Kernel for all of the Kali-linux-nethunter users wanting the portability of kali-nethunter for their Pixel 3a and 3a XL devices codenamed sargo and bonito.
hahahahahahahahahahahahahahahahahahaha
Warning your warranty is now void. Do this at your own risk. The mad clown is in no way responsible for the chaos, worldwide disease, nuclear destruction, laughing fish, costumed caped crusaders or damage caused to your device by performing the steps involved.
hahahahahahahahahahahahahahahahahahaha
I now bring you the
Mad-Kali-MaxHunter kernel
Features :
compiled with clang 8 and linaro aarch64 5.5
-optimized for performance and battery life
-Klapse color control with backlight dimmer and high brightness mode
-Boeffla wakelock blocker
-vibration control
-sound control
-the usual I/O schedulars like zen fiops deadline and such
-adreno boost
-fsync switch
-wireguard support
-HID support
-previously disabled otg is now enabled
-full usb support including.........
---serial
---ACM
---OBEX
---NCM
---ECM
---RNDIS
---EEM
---mass storage
---MTP and PTP
---MIDI
---DIAG
-ntfs
-devtmpfs and mount
-full bluetooth support
-Wifi injection
-dvb / sdr support
- use your own modules
-systemd/upstart support for dual boot
-LZMA compression to keep twrp
-binfmt_misc -------- you can do alot of cool stuff with this enabled like use exe programs ie wine and for you compilers you can effectively change the architecture of your device in a chroot to use qemu properly. what does that really mean you can compile as x86_64 on your aarch64 device like building your own kernel.
and every thing you need for your kali hacking excursions packed inside this kernel
source available at
P
https://github.com/Duhjoker/android_kernel_google_bonito/tree/Mad-Kali-MaxHunter-P3A-P
Q
https://github.com/Duhjoker/android_kernel_google_bonito/tree/Mad-Kali-MaxHunter-P3A-Q
R
https://github.com/Duhjoker/android_kernel_google_bonito/tree/Mad-Kali-MaxHunter-P3A-R
S
https://github.com/Duhjoker/android_kernel_google_bonito/tree/Mad-Kali-Maxhunter-P3A-S
Thanks to Lineage, ElementalX, Dirty Unicorns and beidl aka fredldotme.
Please use this kernel responsibly and mind the rights of others including and especially privacy.
To install flash Mad-Kali-MaxHunter-kernel.zip from twrp. also included are some libs and binaries and other such materials needed to get a fully working version of Kali-nethunter on your pixel 3A and 3A XL device. just unzip the kali-hacks.zip place in proper directories using twrp and give proper permissions.
Download Kali store install the chroot manager nethunter terminal and kex manager install your chroot and happy hunting
Once again and this is no laughing matter. please use this kernel responsibly and mind the rights of all people including and especially privacy.
The mad clown is not responsible for any thing you might do in good or bad concious
Download from here or my personal gihub repository to hold the prebuilt kernels in an anykernel3 zip. i update from time to time so check the dates on the zips.
GitHub - Duhjoker/Mad-Kali-MaxHunter-kernel-prebuilt: repository to hold prebuilt kali nethunter kernel
repository to hold prebuilt kali nethunter kernel. Contribute to Duhjoker/Mad-Kali-MaxHunter-kernel-prebuilt development by creating an account on GitHub.
github.com
COMING SOON
KALI-TOUCH! its like ubuntu touch but using a kali-linux root file system instead of ubuntu.
For pixel 3a sargo and bonito roms and more check out my mega!
16.68 GB folder on MEGA
74 files and 20 subfolders
mega.nz

change log:
Pie:::::::
10/9/21
improved systemd
10/10/21
now with built in wlan
Kernel can be used with any stock or custom rom
Q:::::::::
10/9/21
Brand new off the compiler
features::::::
same as Pie plus built in wlan.ko
Kernel can be used with any stock or custom rom
R::::::::::::
10/14/21
features::::::::::
same as above
S:::::::::::::
10/26/21
features:::::::::::
same as above
11/21/20
link time optimisation enabled
fix system warning on startup

what version its android 12 ??? thanks
regards

Can the pixel-3a deauth WPA networks?

the kernel versions are labled according thier corresponding letter in alphabetical order. p is 9, q is 10, r is 11 and 12 is s.
yes the pixel 3 is capable of de-auth of wpa networks although it will take longer than it would on a pc. if the tools are available the device can use them

all updated kernels will be found on my github page from here on out.
major update now for A12-S and A11-R kernels. the system warning at startup has been fixed. enjoy

can you make one for pixel 4a. i tried but failed

@Duhjoker
Ayy first off thanks for putting the kernal together! After tinkering with trying to get nethunter functional on my pixel 3a for about 3 days I figured it was time to reach out haha.
I did follow your instructions the best I could multiple ways. I now have re flashed lineage os many times and followed the guide from their site (https://wiki.lineageos.org/devices/sargo/install). I am running the p3a R kernal since I have android 11 running on the pixel. The kernal seems to be functional as it shows up as expected when looking inside of the nethunter app. I have magik v23 installed with root access and all is fine there. I did run into a hicups with the terminal throwing the error " "Required key not available"." when trying to run any commands from zsh from the kali terminal app.
I was able to resolve this problem by doing the following
SSH Bash: Required key not available
Hi guys, When I connect to my Nethunter through SSH from my laptop, (tried both root and kali as user). It seems the SSH bash environment is limited. with most commands I type in, the SSH terminal returns: -Bash: /usr/bin/TheCommandIJustTyped Required key not available I looked everywhere...
forums.kali.org
I've been able to solve the problem commenting the line:
#session optional pam_keyinit.so force revoke
in /etc/pam.d/sshd and /etc.pam.d/su-l files.
After restart chroot environment, write operations from chroot to Android encrypted data partition is working.
Click to expand...
Click to collapse
So I can get to a point where It appears that I have a "fully functional" nethunter app / terminal the problem arises when I actually try using it. I cannot seem to get any of the hardware functional. For example bluetooth interfaces listed under "bluetooth arsenal" show up as none. When trying to run the wlan1 or wlan0 in monitor mode it is not functional. I am not even able to scan for SSIDs of networks broadcasting.
I know you stated the following.
also included are some libs and binaries and other such materials needed to get a fully working version of Kali-nethunter on your pixel 3A and 3A XL device. just unzip the kali-hacks.zip place in proper directories using twrp and give proper permissions.
Click to expand...
Click to collapse
After many attempts and learning how the android filesystem / chroot are laid out I managed to copy the files from "kali-hacks.zip" into the "/system" directory. This made the most sense to me after poking around on the phone and online. This leads to my first question. Is this the correct file path to copy the files to? I applied a chroot 755 on the files and then ran "mount -o rw,remount /" to make root writable and simply copied all of the files over by doing "mv * /system" from the kali-hacks directory. This was all done as the root user from TWRP. I would assume if I did this correctly everything would be functional hardware wise. So either I am going about it all silly like or something is funky.
My second question is the following. Did you do anything to make sure that your file system is NOT encrypted? I know thats why zsh was giving me there error "Required key not available". Therefore, assuming that I did infact copy the kali_hack.zip files correctly I feel this may be the cause of my woes. When checking the kali nethunter documentation it does list that you need to make the system non-encrypted.
[Kernel]Kali-NetHunter kernel Pixel 3a and 3a XL sargo/bonito[Kernel]
WITH GREAT POWER COMES GREAT RESPONSIBILITY............ Please use kernel responsibly and respect the rights of others including and especially privacy! The mad tech clown is back with another Kernel for all of the Kali-linux-nethunter users...
forum.xda-developers.com
6. Flashing Universal DM-Verity & ForceEncrypt Disabler​IMPORTANT NOTE for Android 9, 10, & 11 users: Please ensure that you flash the Universal DM-Verity, ForceEncrypt Disabler and format the data partition prior to installing NetHunter. Magisk does not support user context changes on encrypted data partitions, which leads to errors when connecting to the Kali rootfs via ssh (i.e. “Required key not available”) if the data partition is encrypted.
Click to expand...
Click to collapse
Although funny enough when following the official docs the link from the site redirects you to "https://forum.xda-developers.com/t/...ncrypt-disk-quota-disabler-11-2-2020.3817389/" which then sends you to "https://github.com/Zackptg5/Disable_Dm-Verity_ForceEncrypt" which is depreciated and last updated 14 months ago... I still tried anyways out of desperation with a fresh install of lineage os using the method he provided to get a non encrypted filesystem. The outcome was not successful. (instructions I followed can be found in the XDA link above).
Thanks in advance if you get around to reading this. I have bashed my head against this for probably 20ish hours now over the last couple of days and exhausted all of my ideas. Any help is appreciated.
Recap on Questions (TL;DR)
1. How / at what time during install / where should I be copying the files in "kali-hacks.zip" to?
2. Did you do anything to make your file system not encrypted as recommended per the kali nethunter docs? If so how did you manage to do so?

The kali-hacks should be unzipped and copied to /syatem and i usually install them after getting the apks and rootfs installed.
As far as encrypted.... i do not know what you mean by that. Its best to let the gui app download the roots from thier server during install.

create for pixel 3 pls

Has anyone made this to use on pixel 3 XL yet?

hey guys i just updated the kernel to 12.1.

attached is a Mad-Kali-MaxHunter kernel for blueline and crosshatch pixel 3 (xl) only. let me know what you think

Super stoked for Kali-Touch! lmk if you need a tester - I've got spare phones.

PSA -
For anyone running the newest linage OS (19.1) on the pixel 3a and are struggling to get the nethunter app to boot properly after providing it root perms using magisk. Try the following, it worked for me.
get the app to boot properly you need to do the following
The issue was of Permissions - to solve the issue run the following commands in AndroidSU
Code:
pm grant com.offsec.nethunter android.permission.ACCESS_FINE_LOCATION
pm grant com.offsec.nethunter android.permission.ACCESS_COARSE_LOCATION
pm grant com.offsec.nethunter android.permission.READ_EXTERNAL_STORAGE
pm grant com.offsec.nethunter android.permission.WRITE_EXTERNAL_STORAGE
pm grant com.offsec.nethunter com.offsec.nhterm.permission.RUN_SCRIPT
pm grant com.offsec.nethunter com.offsec.nhterm.permission.RUN_SCRIPT_SU
pm grant com.offsec.nethunter com.offsec.nhterm.permission.RUN_SCRIPT_NH
pm grant com.offsec.nethunter com.offsec.nhterm.permission.RUN_SCRIPT_NH_LOGIN
NetHunter not open crashed (#306) · Issues · Kali Linux / NetHunter / Apps / kali-nethunter-app · GitLab
i have android version 11 on my phone and i can't use netuntar, its crashed every time
gitlab.com

Duhjoker said:
please make it available for pixel 4a (sunfish)
Click to expand...
Click to collapse

Hey guys, I'm trying to make it work but I'm out of luck
this is what I did:
1. I unlocked the phone and installed twrp recovery
2. I flashed the "Mad-Kali-MaxHunter-P3A-S.zip" using twrp
3. I used twrp to install magisk
4. Installed "KaliNethunter-v8.2(22).zip" using magisk modules
5. after reboot after updating the Nethunter app from the Nethunter Marketplace and giving it all the permissions that it requested it gives this error in the notification:
```
Nethunter: Startup
Root: OK.
BusyBox: OK.
Chroot: Chroot is not yet installed.
Make sure the above requirements are met.
```
and the Nethunter app keeps crashing as soon as it opens....

Possible to build some modules for this card?
GitHub - aircrack-ng/rtl8812au: RTL8812AU/21AU and RTL8814AU driver with monitor mode and frame injection
RTL8812AU/21AU and RTL8814AU driver with monitor mode and frame injection - GitHub - aircrack-ng/rtl8812au: RTL8812AU/21AU and RTL8814AU driver with monitor mode and frame injection
github.com

Magisk 24.3 "su" Permission denied

Greetings, I've been attempting for several days to execute "su" from adb shell. Essentially, Magisk 24.3 is properly installed within Android 12 on a Google Pixel 6. My primary purpose for rooting is to add my LAN entries to /system/etc/hosts.
An androidforums.com thread details the steps taken several times.
I would very much appreciate your help in getting "su" to work in Android 12 on a Pixel 6. No such problem occurred in Android 8.2 on a Nexus 6P.
Magisk is now uninstalled from the phone, and doesn't appear in the list of apps on the Pixel 6.
On the laptop:
$ adb install Magisk-v24.3.apk
Performing Streamed Install
Success
Invoking Magisk on the phone indicates that the App 24.3 (24300)(27) is installed, Magisk "Installed: NA"
From the factory image, unzipping image-oriole-sp2a.220305.013.a3.zip into a tmp directory:
$ adb push boot.img /storage/emulated/0/Download/boot.img
boot.img: 1 file pushed, 0 skipped. 51.4 MB/s (67108864 bytes in 1.246s)
In Magisk Install "Select and Patch a file", the boot.img is selected. "LET'S GO" results in a sequence ending with the name of the patched file and "All done!"
On the laptop:
adb pull /storage/emulated/0/Download/magisk_patched-24300_jdnPc.img magisk_patched.img
/storage/emulated/0/Download/magisk_patched-24300_jdnP...ulled, 0 skipped. 35.6 MB/s (67108864 bytes in 1.796s)
$ adb reboot bootloader
$ fastboot flash boot magisk_patched.img
Sending 'boot_a' (65536 KB) OKAY [ 1.683s]
Writing 'boot_a' OKAY [ 0.100s]
Finished. Total time: 1.785s
Android reboots normally. The Magisk app reports "Installed: 24.3 (24300)
On the laptop:
$ adb shell
oriole:/ $ su
Permission denied
13|oriole:/ $ exit
$
Please tell me where was my rooting error.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I assure you that the correct factory boot.img was transferred to Magisk, and the correct patched *.img file was uploaded and flashed to the phone.

hstroph said:
Greetings, I've been attempting for several days to execute "su" from adb shell. Essentially, Magisk 24.3 is properly installed within Android 12 on a Google Pixel 6. My primary purpose for rooting is to add my LAN entries to /system/etc/hosts.
I would very much appreciate your help in getting "su" to work in Android 12 on a Pixel 6. No such problem occurred in Android 8.2 on a Nexus 6P.
Click to expand...
Click to collapse
I think what you are facing is less about su rights and privileges and more about modern versus legacy partitioning and file systems. See this StackExchange Q&A, in particular the second answer about a hosts file solution.
But instead of mounting /system in Android 12, which is more hardened than 10 and 11, a safer method would involve systemless hosts courtesy of Magisk. One issue with that, though, is that most people use systemless hosts for block lists that redirect in bulk to 127.0.0.0 or 0.0.0.0. Adding friendly host names and IPs gets tricky because ad blocking apps like Adaway tend to overwrite when updating, although Adaway's whitelisting option may do the trick. I've never tried it.
I'm in a similar boat since jumping from Android 9 to 12 when I bought a Pixel 6. Eventually I'd like to use my Pixel for accessing a localhost web server. Until a better idea comes along I'll either use my old Pie phone for local browsing or simply publish to the www server (for testing layouts and responsiveness, etc.). I haven't gotten serious about it yet but I'm interested in any method that doesn't involve /system modifications or reconfiguring my router.

manjaroid said:
I think what you are facing is less about su rights and privileges and more about modern versus legacy partitioning and file systems. See this StackExhange Q&A, in particular the second answer about a hosts file solution. ...
Click to expand...
Click to collapse
Thank you, that got me excited as termux allowed a root prompt. "mount -o rw,remount /" executed, the vi alias was created, but "vi /system/etc/hosts" informed me that the file was read-only.
Not sure what to do next, but again, thank you.

hstroph said:
Thank you, that got me excited as termux allowed a root prompt. "mount -o rw,remount /" executed, the vi alias was created, but "vi /system/etc/hosts" informed me that the file was read-only.
Not sure what to do next, but again, thank you.
Click to expand...
Click to collapse
We need to approach our hosts files differently than was possible with Oreo or Pie. The path with least resistance will be Magisk's built-in systemless hosts module. Mounting /system as rw may have worked for Android 10 or 11, but 12 is stricter and messing with anything on /system could cause a cascade of problems.
Also, the /system partition dynamically stays full despite usage reported in Settings/Storage, so there's no elbow room for even the smallest change and you might even see out of space errors if not read-only errors.
What to try? I don't have a good answer yet, only ideas. I will be looking into it and am happy to report back. Hopefully somebody smarter than me will chime in.

Thank you for your interest and efforts.

This XDA thread was revisited today and it reminded me to take a stab at my Pixel's hosts file. With little effort I'm now browsing web server hosts on a Windows laptop from Android 12. All I did was edit its hosts file same way I've always done. Obviously I didn't have have a good grasp of the Magisk overlay and how it symlinks Android's native hosts file.
/system in Android 10+ may be off limits to many legacy operations but not the hosts file as long as Magisk's systemless hosts module is enabled. For su access it's just a matter of granting it to a root capable file manager with a text editor, such as MiXplorer or Solid Explorer.
Here's an example of what's needed for Android 12 browsers to connect to Apache virtualhosts on Windows:
Windows 10 laptop (192.168.1.234) - c:\Windows\System32\drivers\etc\hosts
127.0.0.1 site1.local
127.0.0.1 site2.local
Android 12 Pixel - /system/etc/hosts
192.168.1.234 site1.local
192.168.1.234 site2.local
Hope this is pertinent to what you're trying. Sorry for making it sound impossible earlier.

manjaroid said:
This XDA thread was revisited today and it reminded me to take a stab at my Pixel's hosts file. With little effort I'm now browsing web server hosts on a Windows laptop from Android 12. All I did was edit its hosts file same way I've always done. Obviously I didn't have have a good grasp of the Magisk overlay and how it symlinks Android's native hosts file.
/system in Android 10+ may be off limits to many legacy operations but not the hosts file as long as Magisk's systemless hosts module is enabled. For su access it's just a matter of granting it to a root capable file manager with a text editor, such as MiXplorer or Solid Explorer.
...
Click to expand...
Click to collapse
I'd very much like to know what "little effort" it took, please.
Magisk has the systemless module enabled, both MIXplorer and Solid Explorer have root privileges, but neither can copy my downloaded hosts file to /system/etc/hosts ... no success using the MIXplorer text editor either as per your suggestion

hstroph said:
I'd very much like to know what "little effort" it took, please.
Click to expand...
Click to collapse
I edited the hosts file directly by tapping it in MiXplorer and picking an editor. Then I just added a few lines, saved, and that was it. If you have lots of tedious entries try copy/pasting your text instead of trying to replace the file.
I know it doesn't quite make sense since your file managers have root. But overwriting a file on read-only /system is something completely different than opening and editing the hosts file like an ad blocker would do, which is only possible because of the systemless hosts module.

manjaroid said:
... But overwriting a file on read-only /system is something completely different than opening and editing the hosts file like an ad blocker would do, which is only possible because of the systemless hosts module.
Click to expand...
Click to collapse
Which hosts file are you successfully editing, please? Android 12 absolute pathname, if you would be so kind.

hstroph said:
Which hosts file are you successfully editing, please? Android 12 absolute pathname, if you would be so kind.
Click to expand...
Click to collapse
Edit /system/etc/hosts just as you would have done before Android 10, which didn't require the systemless hosts module.
I don't understand most of how systemless root works. But as far as I know, Magisk's systemless hosts module 'hijacks' (for lack of better discription) the hosts file from the system and makes it systemless, similar to a system app converting to a user app.

manjaroid said:
Edit /system/etc/hosts just as you would have done before Android 10, which didn't require the systemless hosts module.
Click to expand...
Click to collapse
I have attempted that many times:
$ adb shell
oriole:/ $ su
Permission denied
13|oriole:/ $
This was in anticipation of a "mount -o rw,remount /system" command in Android 8.2 on a Nexus 6P phone. It no longer works on Android 12 on a Pixel 6. Even a successful su in Termux fails to edit the /system/etc/hosts, or to make either / or /system rw.
Are you actually using Android 12, or are you reciting from memory? Your screen shots are appreciated.

hstroph said:
Are you actually using Android 12, or are you reciting from memory? Your screen shots are appreciated.
Click to expand...
Click to collapse
My Pixel runs Android 12 build SPA2A.220405.004 and Magisk 24.3. Screen shots won't show anything useful.
The su command in adb shell or Termux aren't needed even if mounting /system with write permission was possible. You're chasing your tail going about it this way.
A root file manager used as described is all that's needed to edit the hosts file. If you're being denied write access there must be something wrong with Magisk, systemless hosts, interference from other Magisk modules or something else.
To trouble shoot Magisk,
- try disabling systemless hosts in Magisk, reboot, re-enable it again & reboot again
- if using Magisk Canary try the more stable 24.3
A simple way to test systemless hosts is to install Adaway, choose the root option and grant su access. If the module is working Adaway will build a large hosts file from preset lists.
- a storage full error on the first run isn't unusual, but it should write to the hosts file next run
- if there's constant errors something isn't right, probably with Magisk or systemless hosts
- if it does write to the hosts file you should be able to edit it manually
- disable all block lists before uninstalling Adaway to empty the hosts file

manjaroid said:
My Pixel runs Android 12 build SPA2A.220405.004 and Magisk 24.3. ...
Click to expand...
Click to collapse
My Pixel 6 runs Android 12 build SPA2A.220305.013.A3 with Magisk 24.3
manjaroid said:
A root file manager used as described is all that's needed to edit the hosts file. If you're being denied write access there must be something wrong with Magisk, systemless hosts, interference from other Magisk modules or something else.
...
A simple way to test systemless hosts is to install Adaway, choose the root option and grant su access. If the module is working Adaway will build a large hosts file from preset lists.
Click to expand...
Click to collapse
Before Adaway (from adb shell):
oriole:/ $ wc -l /system/etc/hosts
2 /system/etc/hosts
After Adaway:
oriole:/ $ wc -l /system/etc/hosts
110315 /system/etc/hosts
manjaroid said:
- if it does write to the hosts file you should be able to edit it manually
Click to expand...
Click to collapse
I can add a LAN line before all the 127.0.0.1 entries using the rooted MIXplorer text editor, but the file still won't save.
manjaroid said:
- disable all block lists before uninstalling Adaway to empty the hosts file
Click to expand...
Click to collapse
There were no previous block lists of any kind. I have simply been trying to add a couple dozen LAN entries on this new phone.
I think I've followed instructions as carefully as possible, but still no luck.

hstroph said:
My Pixel 6 runs Android 12 build SPA2A.220305.013.A3 with Magisk 24.3
Before Adaway (from adb shell):
oriole:/ $ wc -l /system/etc/hosts
2 /system/etc/hosts
After Adaway:
oriole:/ $ wc -l /system/etc/hosts
110315 /system/etc/hosts
I can add a LAN line before all the 127.0.0.1 entries using the rooted MIXplorer text editor, but the file still won't save.
There were no previous block lists of any kind. I have simply been trying to add a couple dozen LAN entries on this new phone.
I think I've followed instructions as carefully as possible, but still no luck.
Click to expand...
Click to collapse
Systemless hosts appears to be working if there were no errors and 110315 entries were written to hosts.
In MiXplorer's Settings/More Settings, is the first item for Allow Root checked? I don't remember if the default is checked or not but it needs to be checked. The equivalent setting in Solid Explorer is off by default.
My two screenshots show before and after enabling/disabling Adaway's block lists. The second image shows Adaway's leftovers along with my own lines added manually and the file is saved (save button being greyed out). If you're unable to get the same results I'm stumped and need to think about what's going wrong.

manjaroid said:
..
In MiXplorer's Settings/More Settings, is the first item for Allow Root checked? I don't remember if the default is checked or not but it needs to be checked.
Click to expand...
Click to collapse
It is checked in MIXplorer.
manjaroid said:
The equivalent setting in Solid Explorer is off by default.
Click to expand...
Click to collapse
I'm unable to locate an equivalent setting in Solid Explorer (SE), but root usage was granted through Magisk 24.3 when I used SE for the first time.
manjaroid said:
My two screenshots show before and after enabling/disabling Adaway's block lists. The second image shows Adaway's leftovers along with my own lines added manually and the file is saved (save button being greyed out). If you're unable to get the same results I'm stumped and need to think about what's going wrong.
Click to expand...
Click to collapse
My attached image shows a failure to save in MIXplorer after adding a single "192.168.1.13 tncpi" line.
I've been stumped on the matter ever since Android 12 on this new Pixel 6.

Is Zygisk enabled in Magisk? I assume you followed this guide for rooting.
[GUIDE] Pixel 6 "oriole": Unlock Bootloader, Update, Root, Pass SafetyNet
⚠️⚠️⚠️WARNING! IF YOU ARE UPDATING TO ANDROID 13 FOR THE FIRST TIME, READ THIS FIRST! ⚠️⚠️⚠️ If you are looking for my guide on a different Pixel, find it here: Pixel 3 Pixel 3XL Pixel 3a Pixel 3aXL Pixel 4 Pixel 4XL Pixel 4a Pixel 4a (5G)...
forum.xda-developers.com
Appending a line using Termux works for me also. Are you denied when you try?
Code:
$ su
# echo 192.186.1.234 site3.local >> /system/etc/hosts
If that works there's no reason a root file manager shouldn't work. (To enable root in Solid Explorer tap the hamburger icon upper left then the sprocket icon and scroll down.)
If nothing works I'm thinking either 1) root isn't complete or 2) attempts at /system mounting had a negative effect. Options to consider:
- remove Magisk and repeat the root process
- remove Magisk, install the April OTA update, then root
- factory reset or flash the April factory zip, then root
My suggestion: Might as well go the full route and factory reset or clean flash. Particularly if there's any chance something went wrong in the root file system.

manjaroid said:
Is Zygisk enabled in Magisk?
Click to expand...
Click to collapse
It is now, so I have more to learn what Zygisk enables.
manjaroid said:
I assume you followed this guide for rooting.
[GUIDE] Pixel 6 "oriole": Unlock Bootloader, Update, Root, Pass SafetyNet
⚠️⚠️⚠️WARNING! IF YOU ARE UPDATING TO ANDROID 13 FOR THE FIRST TIME, READ THIS FIRST! ⚠️⚠️⚠️ If you are looking for my guide on a different Pixel, find it here: Pixel 3 Pixel 3XL Pixel 3a Pixel 3aXL Pixel 4 Pixel 4XL Pixel 4a Pixel 4a (5G)...
forum.xda-developers.com
Click to expand...
Click to collapse
Correct ... re-flashed factory image, then rooted with Magisk. Process repeated several times carefully, all with same results.
manjaroid said:
Appending a line using Termux works for me also. Are you denied when you try?
Click to expand...
Click to collapse
Appending a line works with Termux. Saving /system/etc/hosts after editing within Termux or Solid Explorer fails.
manjaroid said:
Code:
$ su
# echo 192.186.1.234 site3.local >> /system/etc/hosts
Click to expand...
Click to collapse
Success.
manjaroid said:
If that works there's no reason a root file manager shouldn't work. (To enable root in Solid Explorer tap the hamburger icon upper left then the sprocket icon and scroll down.)
Click to expand...
Click to collapse
Well, neither root file explorer works to save the file, but appending other text to /system/etc/hosts works, so I'll just write a simple shell script that I can run as needed.
I want to thank you so much for your patient help. I never thought Google would make things so difficult for those of us who need the use of a pocket Linux computer.
Please consider this thread closed.

[Temp ROOT] - [BOOTLESS MAGISK] - [UNLOCK/MAGISK/TWRP] FireTV 2nd gen Cube (raven) > PS7624

Overview
This rooting method is based on a vulnerability in the ARM Mali GPU driver (CVE-2022-38181) discovered by security researcher Man Yue Mo at GitHub Security Lab, to gain root access to the 2nd gen Cube that is on firmware PS7624/3337 or older. Newer method for PS7633 and PS7646 here.
The exploit program (raven_shrinker) is run directly on the Cube to spawn a temporary root shell for quick access. It can also be run automatically on every boot in combination with @diplomatic's bootless Magisk script to grant apps root access. Cubes that are on firmware PS7292/2984 or older, are able to use @Functioner's bootloader exploit used in the previous Raven Root bootloader unlock to install TWRP & full Magisk without a DFU device.
For best results, run raven_shrinker 30-90sec after boot up, when loading is complete and the device is idle.
Three options for root depending on your needs & comfort level
1) Temporary ADB root - Open an adb root shell to for quick access (PS7624/3337 or older)
Pros:
Access all files and folders from ADB
Simple to use, runs in RAM and doesn't make any changes to the Cube, no chance of bricking.
Remove app package protection so that you can enable/disable any app even without root (eg custom launchers, disabling updates, debloat, etc).
Cons:
Only enables ADB root
raven_shrinker occassionally crashes/reboots the Cube when being run. Run it 30-90sec after bootup for greater reliability.
NOTE: raven_shrinker won't brick your device, but what you do with that root access can. DM-verity is still in place checking the integrity of the system/vendor partitions, do NOT modify anything in those directories, or the boot partition!!
2) Bootless Magisk - Automatically start a lite version of Magisk that runs entirely from the data partition, (PS7624/3337 or older).
Pros:
Both ADB root and ability to grant root to apps through Magisk Manager
Once the Magisk dameon has started, root can be granted stably whenever needed
Doesn't modify boot or system/vendor partitions, DM-verity is preserved
Cons:
This is experimental, use at your own risk! It's been working stably during my testing but it's impossible to foresee every issue.
Still relies on raven_shrinker to start, and may occasionally crash when raven_shrinker runs at boot
Most Magisk modules don't work.
NOTE: Be careful of what apps you give root access to. Giving root access to an app that modifies the boot, system or vendor partitions will brick your device. Again, DM-verity is still actively checking that no changes have been made to system/vendor directories.
3) Bootloader Unlock - Install Magisk & TWRP, and enable many more features (PS7292/2984 or older)
Pros:
Use the latest version of Magisk, with Zygisk & module support
Use TWRP for backups & upgrades
Unrestricted use of Fastboot and the U-Boot command line (Amlogic Update)
Only requires raven_shrinker for the initial installation, more stable and tested than bootless Magisk
Remap Cube buttons to allow booting to fastboot, TWRP, Amlogic update.
Possible to update firmware to PS7624/3337 through TWRP and keep device unlocked
Cons:
There is no recovery option in case of a brick.
Requires older firmware to work
NOTE: It's very important to NEVER allow the Amazon OTA app to update the firmware. NEVER run the factory reset option in FireOS settings. If either of these occur, the Cube will be bricked.
Contributors:
Man Yue Mo, @Functioner, @Pro-me3us
Thanks to @Michajin & @mavsman13 for testing & feedback
Thanks to @diplomatic for bootless Magisk script, and @SweenWolf for Launcher Manager
Thanks to @Renate for many great tools
Thanks to all the folks who have worked on TWRP & Magisk

Temporary ADB root (PS7624/3337 or older)
Disclaimer: Use this at your own risk, I'm not responsible for any data loss or corruption to your device. There is a nonzero chance of bricking the Cube, and little to no recovery options.
Instructions
Enable ADB debugging in FireOS settings
Download, unzip and copy raven_shrinker to your Cube
Code:
adb push raven_shrinker /data/local/tmp/
Give raven_shrinker execution permission (only needs to be done once)
Code:
adb shell
chmod +x /data/local/tmp/raven_shrinker
Run the program
For best results, run raven_shrinker 30-90sec after boot up, when loading is complete and the device is idle.
Code:
adb shell
/data/local/tmp/raven_shrinker
NOTE: Some functions do not work with this root shell. Services can't be accessed, so package manager 'pm' commands can't be run as root. However, package protections can still be removed so that you can enable/disable any app without root. Use bootless Magisk option if you need to access services as root.
How to disable package protection
Use raven_shrinker to open a root shell and delete all the apps listed in the file /data/system/PackageManagerDenyList
Code:
echo '<?xml version="1.0" encoding="utf-8" standalone="yes" ?><map><set name="DenyListKeyPackages"></set></map>' > /data/system/PackageManagerDenyList
Exit out of the root shell, and clear Arcus Proxy
Code:
exit
pm clear com.fireos.arcus.proxy
A reboot is required before the changes take effect, but FireOS will attempt to connect to Amazon servers on bootup and rebuild PackageManagerDenyList. Temporarily disable your internet, so that the Cube can't connect to the internet, then reboot.
Package protections are now removed, and Arcus Proxy needs to be disabled to prevent it from being re-activated
Code:
pm clear com.fireos.arcus.proxy
pm disable-user com.fireos.arcus.proxy
Re-enable your Internet. You should now be able to enable/disable any app. Verify that any apps you disable are actually disabled. Then reboot, and verify again!
Code:
pm list packages -d
It's strongly recommended that you disable updates immediately
Code:
pm disable-user com.amazon.device.software.ota
pm clear com.amazon.device.software.ota
pm disable-user com.amazon.device.software.ota.override
pm disable-user com.amazon.tv.forcedotaupdater.v2
Changelog:
v1.1 April 23th, 2023​
Fix for PS7608/3614
v1.2 May 4th, 2023​
added support for PS7206/1098
v1.3 June 23rd, 2023​
added support for PS7201/942

Bootless Magisk (PS7624/3337 or older)
These instructions use an adapted version of @diplomatic's bootless Magisk script, it's recommended you read the original post to better understand how it works, and it's limitations.
Disclaimer: Use this at your own risk, we're not responsible for any data loss or corruption to your device. There is a nonzero chance of bricking the Cube, and little to no recovery options.
There are two reports of a possible compatibility issue with PS7614/3227, so we aren't recommending this method for that firmware at this time.
Instructions
Enable ADB debugging in FireOS settings
Download raven_bootless_magisk, unzip it, and copy it to your Cube keeping the same directory structure
Code:
adb shell mkdir /data/local/tmp/bin
adb push raven_bootless_magisk/* /data/local/tmp/
adb shell pm install -r /data/local/tmp/magisk_manager.apk
Give scripts & binaries execution permissions
Code:
adb shell
chmod +x /data/local/tmp/start.sh
chmod +x /data/local/tmp/magisk-boot.sh
chmod +x /data/local/tmp/bin/raven_shrinker
chmod +x /data/local/tmp/bin/magiskinit
Install Launcher Manager on your Cube, open, navigate to 'other settings', 'ADB Commands'
Tap on the + icon in the top right corner to create a new command
Enter Name: Start Magisk
Enter Command: sleep 30 && /data/local/tmp/start.sh
Check 'Execute on Boot'
Save
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
When you reboot your Cube, bootless Magisk will automatically start ~30sec after your homescreen loads. It's important that FireOS has loaded and that the device isn't busy, so don't open any apps until after Magisk has loaded. There's a greater chance that raven_shrinker will fail or reboot the Cube while launching Magisk if the device is busy.
TO AVOID BRICKING YOUR DEVICE:
Be careful of what apps you give root access to. Giving root access to an app that modifies the boot, system or vendor partitions will brick your device. DM-verity is still actively checking that system/vendor directories haven't been tampered with.
Don't run the boot-magisk.sh script (from either ADB or Launcher Manager) more than once per boot. Doing so will mess up the mounting and module initiation.
Never toggle ADB debugging off/on in the Developer's menu while Magisk is running. This will kill the Magisk daemon running in the background, and could corrupt your device if it's in the middle of an important process.
Only use WiFi ADB, not USB ADB. Booting the Cube with an USB attached computer puts USB in device mode, and ADB will close and kill Magisk when the Cube sleeps in device mode.
This release includes Magisk v21.4 (magiskinit) and Magisk Manager v8.0.7. Don't update Magisk! Patching your boot image will brick your device!
Changelog:
v1.1 April 23th, 2023​
Fix for PS7608/3614
v1.2 May 4th, 2023​
Added support for PS7206/1098
v1.3 June 23rd, 2023​
Added support for PS7201/942

Bootloader unlock, install TWRP & Magisk (PS7292/2984 or older)
This rooting method will put your Cube on the same exploit and software versions used in the original Raven Root, without a DFU recovery option. Please post any questions or problems regarding this post & it's process, on the Raven Root thread.
Disclaimer: Use this at your own risk, I'm not responsible for any data loss or corruption to your device. There is a nonzero chance of bricking the Cube, and little to no recovery options.
NEVER FACTORY RESET YOUR CUBE!!!
NEVER ALLOW AN AMAZON OTA UPDATE!!!
Both of these will brick your Cube!
To avoid any potential conflicts, if you were previously using a different version of Magisk, such as bootless Magisk (v21.4), first delete /data/adb/magisk.db before proceeding.
Instructions
Enable ADB debugging in FireOS settings
Download the raven_root_shrinker, unzip, and copy the 7 files to /data/local/tmp on the Cube
Code:
adb push raven_root_shrinker/* /data/local/tmp/
Give raven_shrinker & install script executable permissions
Code:
adb shell
chmod +x /data/local/tmp/raven_shrinker
chmod +x /data/local/tmp/install_root.sh
Open a root shell and run the install_root.sh script
Code:
adb shell
/data/local/tmp/raven_shrinker
/data/local/tmp/install_root.sh
Finish by typing 'exit' to switch root back to regular shell, install Magisk Manager, and reboot to TWRP
Code:
exit
pm install -r /data/local/tmp/magisk.apk
reboot recovery
The Cube will reboot to TWRP, automatically flash Magisk and Amazon OTA blocker module, then reboot back to FireOS.
NOTE: It's very important to NEVER allow the Amazon OTA app to update the firmware. NEVER run the factory reset option in FireOS settings. If either of these occur, the Cube will be bricked.
Read here for TWRP firmware flashing instructions
Changelog:
v2.2.1 April 23th, 2023​
Added additional Magisk script to help prevent user from accidentally initiating FireOS factory reset.
If you already installed v2.2, you can copy and paste the following as one ADB command to add this script to your Cube:
Code:
echo '#!/sbin/sh
# Rename misc partition
mv /dev/block/misc /dev/block/misc_real
# Create symbolic links
ln -s /dev/null /dev/block/misc' > /data/adb/post-fs-data.d/misc_hide.sh && chmod +x /data/adb/post-fs-data.d/misc_hide.sh
v2.2.2 May 4th, 2023​
Added support for PS7206/1098
v2.2.3 June 23rd, 2023​
Added support for PS7201/942

reserved

to bad: mine was already on PS7633/3445

Hey @Pro-me3us . I've been trying to use the 2.2 update with no luck. My cube is on version PS7292/2984. I keep getting the message "/data/local/tmp/raven_shrinker: can't execute: Permission denied." Not sure what I'm doing wrong. Any help would be greatly appreciated.

coltxL2717 said:
Hey @Pro-me3us . I keep getting the message "/data/local/tmp/raven_shrinker: can't execute: Permission denied."
Click to expand...
Click to collapse
I didn't need to change the permissions on raven_shrinker while testing, but maybe that's different on other firmware versions.
Try this:
Code:
chmod +x /data/local/tmp/raven_shrinker
This will give the file execution permission. Let me know if that works, then I'll add it to the instructions. You only need to do this once for that file.
You may also need to do the same for install_root.sh in that case. Try running it first without, and if needed use:
Code:
chmod +x /data/local/tmp/install_root.sh

Pro-me3us said:
I didn't need to change the permissions on raven_shrinker while testing, but maybe that's different on other firmware versions.
Try this:
Code:
chmod +x /data/local/tmp/raven_shrinker
This will give the file execution permission. Let me know if that works, then I'll add it to the instructions. You only need to do this once for that file.
You may also need to do the same for install_root.sh in that case. Try running it first without, and if needed use:
Code:
chmod +x /data/local/tmp/install_root.sh
Click to expand...
Click to collapse
That did it. Thank you so much. I had to chmod both files for the root to work.

coltxL2717 said:
That did it. Thank you so much. I had to chmod both files for the root to work.
Click to expand...
Click to collapse
Thanks for confirming, added granting executable permissions to the instructions

How to block future updates?

errut said:
How to block future updates?
Click to expand...
Click to collapse
Post #2 (needs root). unless you are on PS7633/3445 +, then you have to do it on a network router blocking the OTA webwites.

Good afternoon . I would like to clarify whether it is possible to install TWRP on my Cube?

teschke said:
Good afternoon . I would like to clarify whether it is possible to install TWRP on my Cube?
Click to expand...
Click to collapse
Yes, your firmware is older than PS7292 so you can use these instructions
This will install TWRP 3.7.0-9.0 + Magisk 25.208.

Hi all,
where can I DL "The exploit program (raven_shrinker") ?

u_no_fr said:
Hi all,
where can I DL "The exploit program (raven_shrinker") ?
Click to expand...
Click to collapse
It's part of each of the three methods listed in the OP
1) Temporary root (raven_shrinker only)
2) bootless Magisk
3) bootloader unlock
Check the post attachments

Hi,
Thanks for posting this.
I have two Gen 2 Cubes that are on Fire OS 7.2.4.2 (PS7242/2906). Both have updates blocked.
If I installed TWRP and Magisk, what can I do? Are there and roms you recommend I install?
Sorry for asking. I have installed roms on old Samsung and LG phones but never done anything like this on Fire TV products.
Thanks

Osaka_23 said:
I have two Gen 2 Cubes that are on Fire OS 7.2.4.2 (PS7242/2906). Both have updates blocked.
If I installed TWRP and Magisk, what can I do? Are there and roms you recommend I install?
Click to expand...
Click to collapse
There aren't any custom ROMs for the Cube at the moment. TWRP would let you update to PS7624/3337 while maintaining root, but honestly I don't see a whole lot of benefit to the post PS7273 firmware. There are a handful of small new features, nothing particularly great IMO.
Magisk might actually have more of a functional benefit for you. With that you can grant apps root, and use modules. Exposed Edge is very nice, and will let you completely remap your remote buttons, including double and tripple clicks, overlays, shortcuts, etc. You can change the bootup logo, use file explorers with full system access etc. TWRP/Magisk are just the tools, what you do with them is up to you

Hello Pro-me3us, my cube is running PS7633/3445. I followed the instructions #2 to Temporary ADB root (PS7624/3337 or older)
I was able to push the file (or i had to push the folder???)
Well, then after
raven:/ $ /data/local/tmp/raven_shrinker
fingerprint: Amazon/raven/raven:9/PS7633.3445N/0027347744000:user/amz-p,release-keys
/data/local/tmp/raven_shrinker: flags_change failed
: Invalid argument
what can i do now?
any help ?
thanks
Note: the file was pushed because:
1|raven:/ $ cd /data/local/tmp/
127|raven:/data/local/tmp $ ls
raven_shrinker

yakovperelman69 said:
my cube is running PS7633/3445
Click to expand...
Click to collapse
The vulnerability was patched in PS7633/3445, so it won't work on any firmware newer than PS7624/3337. There's no workaround.