This is an exploit designed to get elevated privilleges (UID 1000) on locked-down but vulnerable devices, where the Android build is signed with a test key (for example, some kids tablets).
It works by patching a system app which runs with UID 1000 (typically the settings app) to inject a backdoor into it, through which you can run commands as the app's user. Though technically, you can patch any app with this backdoor, not just system apps.
After patching, the app is signed with testkey, allowing you to install it on top of the existing system app.
The system user (UID 1000) has almost as much privillege as the root user, but what you can or cannot do will vary depending on the SELinux rules of the ROM. On some ROMs, the patched settings app won't even launch, due to SELinux restrcting the execution of apps with UID 1000 when they are installed in /data/app
.
Pre-requisites/dependencies:
- A working Java runtime environment (to run .jar files located in
bin/
) and JDK (to compile the patch) - Python 3 (to run the patcher script
patcher.py
) - A GNU/Linux or macOS PC. Windows will never be officially supported, so you are welcome to fork this repo and add Windows support.
- An Android device running a ROM signed with test keys
- Ability to install APKs on the device
- (Optional) USB Debugging support on the device, and latest platform-tools installed on your PC.
Steps
-
Clone this repo:
git clone https://github.com/IsHacker003/testbuild_exploit && cd testbuild_exploit
-
Place the APK of the system app you want to patch inside the "apk" folder, after renaming it to
app.apk
. You can either get the APK from the stock ROM or pull it from the device (if you have ADB/USB debugging access). For example, to pull the Settings APK (DO NOT COPY):adb pull /system/priv-app/Settings/Settings.apk && mv Settings.apk apk/app.apk
NOTE: If the APK is odexed (i.e there are no
classes.dex
files inside the APK), you need to deodex it first. -
Run patcher.py
python3 patcher.py
-
Enter the package name of the app to be patched. If you don't know the package name, first decompile the apk using
apktool
or whatever program and check the package name. If the package name iscom.android.settings
(i.e you are patching the Settings app), just press enter to continue the patching process. No need to type anything. -
After the patching process has finished, just install the generated
<package name>.apk
file on the device normally. If you have USB debugging access, you can install it directly using ADB. For example:adb install com.android.settings.apk
Enjoy! Now you are ready to run commands.
There are two ways to run commands through the backdoor.
1. ADB shell:
If you have USB debugging on the device, type this in adb shell
:
am broadcast -n <package name>/.CmdReceiver -e Cmd "<command>"
Here <package name>
is the package name of the patched app, and <command>
is the shell command that you want to run.
For example, if you want to run the command whoami
and you have patched the Settings app, type:
am broadcast -n com.android.settings/.CmdReceiver -e Cmd "whoami"
To get the output of the command, type:
adb logcat | grep "CmdReceiver"
(Run it in a different terminal window)
For example, the output of the above command (whoami
) will be like:
10-08 13:02:20.356 4208 4208 D CmdReceiver: system
Here, the part after CmdReceiver:
is your output (which is "system" in this case).
2. App:
If the device doesn't allow USB debugging (or if you just want a more convenient method), you can use my Command executor app.