Jump to content
Sign in to follow this  

[DANGER] Backdoor found in Allwinner Linux kernel. ALL Allwinner H3/A83T/H8 devices with "sunxi-3.4" kernel are vulnerable to privilege escalation

Recommended Posts


echo "rootmydevice" > /proc/sunxi_debug/sunxi_debug

Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker

Wednesday, May 11, 2016


Mohit Kumar

How to Hack an Android device?

It is possibly one of the most frequently asked questions on the Internet.

Although it's not pretty simple to hack Android devices and gadgets, sometimes you just get lucky to find a backdoor access.

Thanks to Allwinner, a Chinese ARM system-on-a-chip maker, which has recently been caught shipping a version of Linux Kernel with an incredibly simple and easy-to-use built-in backdoor.

Chinese fabless semiconductor company Allwinner is a leading supplier of application processors that are used in many low-cost Android tablets, ARM-based PCs, set-top boxes, and other electronic devices worldwide.

Simple Backdoor Exploit to Hack Android Devices

All you need to do to gain root access of an affected Android device is…

Send the text "rootmydevice" to any undocumented debugging process.

The local privileges escalation backdoor code for debugging ARM-powered Android devices managed to make its way in shipped firmware after firmware makers wrote their own kernel code underneath a custom Android build for their devices, though the mainstream kernel source is unaffected.

The backdoor code is believed to have been left by mistake by the authors after completing the debugging process.

For exploiting this issue, any process running with any UID can be converted into root easily by simply using the following command:

    echo "rootmydevice" > /proc/sunxi_debug/sunxi_debug

The Linux 3.4-sunxi kernel was originally designed to support the Android operating system on Allwinner ARM for tablets, but later it was used to port Linux to many Allwinner processors on boards like Banana Pi micro-PCs, Orange Pi, and other devices.

At the forum of the Armbian operating system, a moderator who goes by the name Tkaiser noted that the backdoor code could remotely be exploitable "if combined with networked services that might allow access to /proc."

This security hole is currently present in every operating system image for A83T, H3 or H8 devices that rely on kernel 3.4, he added.

This blunder made by the company has been frustrating to many developers. Allwinner has also been less transparent about the backdoor code. David Manouchehri released the information about the backdoor through its own Github account (Pastebin) and then apparently deleted it.



Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this