[~]mobilehackerforhire$ hire --now
    cd ../tutorials
    root@mhfh:~#less posts/cve-2024-32896.md
    posts/cve-2024-32896.md
    CVE-2024-32896· 22 min · mhfh research · 2024-06-18

    Rooting Pixel via Firmware Privilege Escalation

    Step-by-step exploitation of a Pixel-specific bootloader logic flaw to land a persistent root shell without unlocking the bootloader.

    #Android#Pixel#LPE#Firmware
    $cat snippet.sh
    adb shell /data/local/tmp/exploit.bin --trigger
./pixel-lpe --target=oriole --kaslr-leak

    Overview

    A logic flaw in Pixel-specific vendor firmware allows local privilege escalation to root without unlocking the bootloader.

    Setup

    $cat snippet.sh
    adb push exploit.bin /data/local/tmp/
adb shell chmod +x /data/local/tmp/exploit.bin

    Stage 1 — Trigger

    $cat snippet.sh
    adb shell /data/local/tmp/exploit.bin --trigger

    Stage 2 — KASLR leak & escalate

    $cat snippet.sh
    ./pixel-lpe --target=oriole --kaslr-leak

    After the leak we patch selinux_enforcing and spawn a root shell.

    Mitigation

    Apply the June 2024 Pixel security update.