tiann/KernelSU

KernelSU Not Granting Full Root Privileges on Samsung M14 (One UI 6.1 - Android 14 June security patch) (GKI Kernel 5.15.123

Opened this issue · 15 comments

Please check before submitting an issue

  • I have searched the issues and haven't found anything relevant
  • I will upload bugreport file in KernelSU Manager - Settings - Report log
  • I know how to reproduce the issue which may not be specific to my device

Describe the bug

I'm creating this issue after trying everything I can.

Our family recently bought a new phone (Samsung M14 4G - shipped with Android 14), and I noticed it has a GKI kernel (5.15.123)

Since I had never compiled GKI kernels before, I spent three days practicing by compiling the OEM kernel (GKI).
Source : https://github.com/ravindu644/a05s_stock

Today, after managing to configure custom defconfigs and menuconfig, I decided to try KernelSU.

After spending several hours adding and fixing various components, I successfully built a KSU-enabled kernel from the OEM source, and it booted on the first attempt!

The KernelSU Manager also shows the kernel version with the Working <GKI> message.

my

However, the problem is that su is not functioning properly. KernelSU Manager itself has minimal permissions, similar to ADB. I can only use the KernelSU Manager to perform basic actions like rebooting to download mode, etc.

When I grant root permissions to Root Checker, it shows that the device is rooted.

checker

Shizuku also works since it requires minimal permissions.

However, apps that require higher privileges, like Root Explorer, report that my device isn't rooted.

official

Additionally, in terminal apps, it indicates that root is not functioning.

I thought this might be an issue with my kernel, so I disabled security features like Defex (this phone doesn’t have RKP, KDP, or UH since it lacks Knox).

The issue persists.

I also tried modifying selinux hooks.c—no luck.

Installed LKM—no luck.
LKM

Installed the boot.img from the official KSU releases—no luck.
official

I'm not sure what’s going on :(

I've collected some logs from logcat since KernelSU Manager provides a log file with 0 bytes.

Thank you!

To Reproduce

??

Expected behavior

Normally, any rooting solution should work fine on a security disabled Samsung device.

Screenshots

No response

Logs

09-26 18:51:50.543  1026  1026 E audit   : type=1400 audit(1727356910.541:8784): avc:  denied  { search } for  pid=16493 comm="libksud.so" name="tests" dev="dm-54" ino=125 scontext=u:r:untrusted_app:s0:c0,c257,c512,c768 tcontext=u:object_r:shell_test_data_file:s0 tclass=dir permissive=0 SEPF_SM-M145F_13_0001 audit_filtered
09-26 18:51:50.543  1026  1026 E audit   : type=1400 audit(1727356910.541:8785): avc:  denied  { search } for  pid=16493 comm="libksud.so" name="tests" dev="dm-54" ino=125 scontext=u:r:untrusted_app:s0:c0,c257,c512,c768 tcontext=u:object_r:shell_test_data_file:s0 tclass=dir permissive=0 SEPF_SM-M145F_13_0001 audit_filtered
09-26 18:51:50.543  1026  1026 E audit   : type=1400 audit(1727356910.541:8786): avc:  denied  { search } for  pid=16493 comm="libksud.so" name="tests" dev="dm-54" ino=125 scontext=u:r:untrusted_app:s0:c0,c257,c512,c768 tcontext=u:object_r:shell_test_data_file:s0 tclass=dir permissive=0 SEPF_SM-M145F_13_0001 audit_filtered
09-26 18:51:50.543  1026  1026 E audit   : type=1400 audit(1727356910.541:8787): avc:  denied  { search } for  pid=16493 comm="libksud.so" name="tests" dev="dm-54" ino=125 scontext=u:r:untrusted_app:s0:c0,c257,c512,c768 tcontext=u:object_r:shell_test_data_file:s0 tclass=dir permissive=0 SEPF_SM-M145F_13_0001 audit_filtered
09-26 18:51:52.446  2177  2826 E SettingsToPropertiesMapper: key=persist.device_config.storage_native_boot.transcode_compat_manifest value=com.yelp.android,0,com.yy.biu,0,com.groupme.android,0,air.tv.douyu.android,0,com.baidu.mbaby,0,com.vlocker.locker,0,com.znxh.hyhuo,0,com.yixia.xiaokaxiu,0 exceeds system property max length.

09-26 18:54:03.976  1026  1026 E audit   : type=1400 audit(1727357043.973:8847): avc:  denied  { read } for  pid=14969 comm="sh" name="/" dev="dm-7" ino=59 scontext=u:r:untrusted_app_32:s0:c251,c256,c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0 SEPF_SM-M145F_13_0001 audit_filtered
09-26 18:54:04.070  1026  1026 E audit   : type=1400 audit(1727357044.065:8848): avc:  denied  { ioctl } for  pid=14877 comm="Thread-41" path="/data/data/com.speedsoftware.rootexplorer/databases/explorer.db" dev="dm-54" ino=20991 ioctlcmd=0xf522 scontext=u:r:untrusted_app_32:s0:c251,c256,c512,c768 tcontext=u:object_r:app_data_file:s0:c251,c256,c512,c768 tclass=file permissive=0 SEPF_SM-M145F_13_0001 audit_filtered
09-26 18:54:05.223  1026  1026 E audit   : type=1400 audit(1727357045.221:8849): avc:  denied  { read } for  pid=14969 comm="sh" name="/" dev="dm-7" ino=59 scontext=u:r:untrusted_app_32:s0:c251,c256,c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0 SEPF_SM-M145F_13_0001 audit_filtered
09-26 18:54:05.277  1026  1026 E audit   : type=1400 audit(1727357045.273:8850): avc:  denied  { ioctl } for  pid=14877 comm="Thread-44" path="/data/data/com.speedsoftware.rootexplorer/databases/explorer.db" dev="dm-54" ino=20991 ioctlcmd=0xf522 scontext=u:r:untrusted_app_32:s0:c251,c256,c512,c768 tcontext=u:object_r:app_data_file:s0:c251,c256,c512,c768 tclass=file permissive=0 SEPF_SM-M145F_13_0001 audit_filtered

09-26 18:54:40.875  1090  1123 E netd    : Error adding route 202.129.232.62/32 -> 192.168.8.1 wlan0 to table 99: File exists
09-26 18:54:42.243  2177  2205 E Transition: Trying to add a ready-group twice: Display{#0 state=ON size=1080x2400 ROTATION_0}
09-26 18:54:42.245  3838  3838 E pageboostd: Received HALT command code 2
09-26 18:54:42.292 16606 16606 E ActivityThread: Failed to find provider info for com.samsung.android.app.sharestar.ShareStarProvider
09-26 18:54:42.292 16606 16606 E ShareStarManager: e:java.lang.IllegalArgumentException: java.lang.IllegalArgumentException: Unknown authority com.samsung.android.app.sharestar.ShareStarProvider
09-26 18:54:42.314  1026  1026 E audit   : type=1400 audit(1727357082.309:8853): avc:  denied  { ioctl } for  pid=14408 comm="binder:14408_4" path="/data/user_de/0/com.android.settings/databases/sem_share.db" dev="dm-54" ino=21511 ioctlcmd=0xf522 scontext=u:r:system_app:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=file permissive=0 SEPF_SM-M145F_13_0001 audit_filtered
09-26 18:54:42.364  1026  1026 E audit   : type=1400 audit(1727357082.361:8854): avc:  denied  { ioctl } for  pid=16660 comm="RxCachedThreadS" path="/data/user/0/com.samsung.android.app.sharelive/databases/linkShare.db" dev="dm-54" ino=16485 ioctlcmd=0xf522 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=0 SEPF_SM-M145F_13_0001 audit_filtered
09-26 18:54:42.370  1026  1026 E audit   : type=1400 audit(1727357082.365:8855): avc:  denied  { ioctl } for  pid=16660 comm="RxCachedThreadS" path="/data/user/0/com.samsung.android.app.sharelive/databases/linkShare.db" dev="dm-54" ino=16485 ioctlcmd=0xf522 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=0 SEPF_SM-M145F_13_0001 audit_filtered
09-26 18:54:42.378  1026  1026 E audit   : type=1400 audit(1727357082.373:8856): avc:  denied  { ioctl } for  pid=16660 comm="arch_disk_io_2" path="/data/user/0/com.samsung.android.app.sharelive/databases/linkShare.db" dev="dm-54" ino=16485 ioctlcmd=0xf522 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=0 SEPF_SM-M145F_13_0001 audit_filtered
09-26 18:54:42.389  3838  3838 E pageboostd: Received HALT command code 2
09-26 18:54:42.423  2177  2237 E WindowManager: win=Window{3b6b2ad u0 me.weishu.kernelsu/me.weishu.kernelsu.ui.MainActivity EXITING} destroySurfaces: appStopped=false cleanupOnResume=false win.mWindowRemovalAllowed=true win.mRemoveOnExit=true win.mViewVisibility=0 caller=com.android.server.wm.WindowState.onExitAnimationDone:5763 com.android.server.wm.WindowStateAnimator.onAnimationFinished:208 com.android.server.wm.WindowState.onAnimationFinished:5994 com.android.server.wm.WindowContainer$$ExternalSyntheticLambda4.onAnimationFinished:0 com.android.server.wm.SurfaceAnimator.lambda$getFinishedCallback$0:140 com.android.server.wm.SurfaceAnimator.$r8$lambda$eYT7rjaBOE8bCIRq043wVzQ_RTM:0 com.android.server.wm.SurfaceAnimator$$ExternalSyntheticLambda1.run:0
09-26 18:54:42.423  2177  4631 E AppOps  : Bad call made by uid 10192. Package "com.samsung.android.mdx.kit" does not belong to uid 5026.
09-26 18:54:42.424  2177  4631 E AppOps  : Cannot noteOperation
09-26 18:54:42.424  2177  4631 E AppOps  : java.lang.SecurityException: Specified package "com.samsung.android.mdx.kit" under uid 5026 but it is not
09-26 18:54:42.424  2177  4631 E AppOps  :      at com.android.server.appop.AppOpsService.verifyAndGetBypass(AppOpsService.java:3942)
09-26 18:54:42.424  2177  4631 E AppOps  :      at com.android.server.appop.AppOpsService.verifyAndGetBypass(AppOpsService.java:3802)
09-26 18:54:42.424  2177  4631 E AppOps  :      at com.android.server.appop.AppOpsService.noteOperationUnchecked(AppOpsService.java:2649)
09-26 18:54:42.424  2177  4631 E AppOps  :      at com.android.server.appop.AppOpsService.noteProxyOperationImpl(AppOpsService.java:2609)
09-26 18:54:42.424  2177  4631 E AppOps  :      at com.android.server.appop.AppOpsService.-$$Nest$mnoteProxyOperationImpl(AppOpsService.java:0)
09-26 18:54:42.424  2177  4631 E AppOps  :      at com.android.server.appop.AppOpsService$CheckOpsDelegateDispatcher.$r8$lambda$i5BgzdKGjmZM_Fo82DEvnLz-fGw(AppOpsService.java:0)
09-26 18:54:42.424  2177  4631 E AppOps  :      at com.android.server.appop.AppOpsService$CheckOpsDelegateDispatcher$$ExternalSyntheticLambda5.apply(R8$$SyntheticClass:0)
09-26 18:54:42.424  2177  4631 E AppOps  :      at com.android.server.policy.AppOpsPolicy.noteProxyOperation(AppOpsPolicy.java:246)
09-26 18:54:42.424  2177  4631 E AppOps  :      at com.android.server.appop.AppOpsService$CheckOpsDelegateDispatcher.noteProxyOperation(AppOpsService.java:6556)
09-26 18:54:42.424  2177  4631 E AppOps  :      at com.android.server.appop.AppOpsService.noteProxyOperation(AppOpsService.java:2550)
09-26 18:54:42.424  2177  4631 E AppOps  :      at com.android.internal.app.IAppOpsService$Stub.onTransact(IAppOpsService.java:635)
09-26 18:54:42.424  2177  4631 E AppOps  :      at android.os.Binder.execTransactInternal(Binder.java:1380)
09-26 18:54:42.424  2177  4631 E AppOps  :      at android.os.Binder.execTransact(Binder.java:1311)
09-26 18:54:42.428  2177  4538 E AppOps  : Bad call made by uid 10192. Package "com.samsung.android.mdx.kit" does not belong to uid 5026.
09-26 18:54:42.428  2177  4538 E AppOps  : Cannot noteOperation
09-26 18:54:42.428  2177  4538 E AppOps  : java.lang.SecurityException: Specified package "com.samsung.android.mdx.kit" under uid 5026 but it is not
09-26 18:54:42.428  2177  4538 E AppOps  :      at com.android.server.appop.AppOpsService.verifyAndGetBypass(AppOpsService.java:3942)
09-26 18:54:42.428  2177  4538 E AppOps  :      at com.android.server.appop.AppOpsService.verifyAndGetBypass(AppOpsService.java:3802)
09-26 18:54:42.428  2177  4538 E AppOps  :      at com.android.server.appop.AppOpsService.noteOperationUnchecked(AppOpsService.java:2649)
09-26 18:54:42.428  2177  4538 E AppOps  :      at com.android.server.appop.AppOpsService.noteProxyOperationImpl(AppOpsService.java:2609)
09-26 18:54:42.428  2177  4538 E AppOps  :      at com.android.server.appop.AppOpsService.-$$Nest$mnoteProxyOperationImpl(AppOpsService.java:0)
09-26 18:54:42.428  2177  4538 E AppOps  :      at com.android.server.appop.AppOpsService$CheckOpsDelegateDispatcher.$r8$lambda$i5BgzdKGjmZM_Fo82DEvnLz-fGw(AppOpsService.java:0)
09-26 18:54:42.428  2177  4538 E AppOps  :      at com.android.server.appop.AppOpsService$CheckOpsDelegateDispatcher$$ExternalSyntheticLambda5.apply(R8$$SyntheticClass:0)
09-26 18:54:42.428  2177  4538 E AppOps  :      at com.android.server.policy.AppOpsPolicy.noteProxyOperation(AppOpsPolicy.java:246)
09-26 18:54:42.428  2177  4538 E AppOps  :      at com.android.server.appop.AppOpsService$CheckOpsDelegateDispatcher.noteProxyOperation(AppOpsService.java:6556)
09-26 18:54:42.428  2177  4538 E AppOps  :      at com.android.server.appop.AppOpsService.noteProxyOperation(AppOpsService.java:2550)
09-26 18:54:42.428  2177  4538 E AppOps  :      at com.android.internal.app.IAppOpsService$Stub.onTransact(IAppOpsService.java:635)
09-26 18:54:42.428  2177  4538 E AppOps  :      at android.os.Binder.execTransactInternal(Binder.java:1380)
09-26 18:54:42.428  2177  4538 E AppOps  :      at android.os.Binder.execTransact(Binder.java:1311)
09-26 18:54:42.473  3065  3317 E #IMSCR  : 09-26 18:54:42 0x1101000A:0,PDN FAIL:NOT_DEFINED,38
09-26 18:54:42.475  3065  3317 E GlobalSettingsRepoBase: globalgcsettings No matched key : use_usim_on_invalid_isim
09-26 18:54:42.475  3065  3317 E GlobalSettingsRepoBase: globalgcsettings No matched key : use_usim_on_invalid_isim
09-26 18:54:42.475  2993  3463 E BtGatt.GattService: [GSIM LOG]: gsimLogHandler, msg: MESSAGE_SCAN_STOP, appName: com.google.uid.shared, scannerId: 4, reportDelayMillis=0
09-26 18:54:42.477 16728 16728 E oid.documentsui: No package ID ff found for resource ID 0xffffffff.
09-26 18:54:42.498  3065  3065 E GlobalSettingsRepoBase: globalgcsettings No matched key : separate_vo5g_icon
09-26 18:54:42.509 16728 16728 E oid.documentsui: No package ID ff found for resource ID 0xffffffff.
09-26 18:54:42.511  2993  3463 E BtGatt.GattService: [GSIM LOG]: gsimLogHandler, msg: MESSAGE_SCAN_START, appName: com.google.uid.shared, scannerId: 4, reportDelayMillis=0
09-26 18:54:42.527 16728 16728 E oid.documentsui: No package ID ff found for resource ID 0xffffffff.
09-26 18:54:42.529  1026  1026 E audit   : type=1400 audit(1727357082.525:8857): avc:  denied  { ioctl } for  pid=6526 comm="binder:6526_1" path="/data/data/com.android.providers.downloads/databases/downloads.db" dev="dm-54" ino=5212 ioctlcmd=0xf522 scontext=u:r:mediaprovider:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=0 SEPF_SM-M145F_13_0001 audit_filtered
09-26 18:54:42.544  5579 16808 E MCFQS   : () ()-[td:RxCachedThreadScheduler-3] Fail to get ContinuityAdapter
09-26 18:54:42.553  2993  3409 E BluetoothRemoteDevices: Remote class is UNCATEGORIZED
09-26 18:54:42.585  2993  3463 E BtGatt.GattService: [GSIM LOG]: gsimLogHandler, msg: MESSAGE_SCAN_STOP, appName: android.uid.mdxkit, scannerId: 5, reportDelayMillis=0
09-26 18:54:42.632  2993  3463 E BtGatt.GattService: [GSIM LOG]: gsimLogHandler, msg: MESSAGE_ADV_SET_START, appName: com.samsung.android.mdx.kit, id: 1, isLegacy: true
09-26 18:54:42.656 16728 16728 E oid.documentsui: No package ID ff found for resource ID 0xffffffff.
09-26 18:54:42.668  2993  3463 E BtGatt.GattService: [GSIM LOG]: gsimLogHandler, msg: MESSAGE_SCAN_START, appName: android.uid.mdxkit, scannerId: 5, reportDelayMillis=0
09-26 18:54:42.682  3838  3838 E pageboostd: Received HALT command code 2
09-26 18:54:42.689 16728 16728 E oid.documentsui: No package ID ff found for resource ID 0xffffffff.
09-26 18:54:43.158  2177  2205 E WindowManager: win=Window{fc59203 u0 Pop-up window} destroySurfaces: appStopped=true cleanupOnResume=false win.mWindowRemovalAllowed=false win.mRemoveOnExit=false win.mViewVisibility=8 caller=com.android.server.wm.WindowState.destroySurface:4146 com.android.server.wm.ActivityRecord.destroySurfaces:6952 com.android.server.wm.ActivityRecord.destroySurfaces:6933 com.android.server.wm.ActivityRecord.activityStopped:7633 com.android.server.wm.ActivityClientController.activityStopped:310 android.app.IActivityClientController$Stub.onTransact:702 com.android.server.wm.ActivityClientController.onTransact:175
09-26 18:54:43.158  2177  2205 E WindowManager: win=Window{63a1c2c u0 me.weishu.kernelsu/me.weishu.kernelsu.ui.MainActivity} destroySurfaces: appStopped=true cleanupOnResume=false win.mWindowRemovalAllowed=false win.mRemoveOnExit=false win.mViewVisibility=8 caller=com.android.server.wm.ActivityRecord.destroySurfaces:6952 com.android.server.wm.ActivityRecord.destroySurfaces:6933 com.android.server.wm.ActivityRecord.activityStopped:7633 com.android.server.wm.ActivityClientController.activityStopped:310 android.app.IActivityClientController$Stub.onTransact:702 com.android.server.wm.ActivityClientController.onTransact:175 android.os.Binder.execTransactInternal:1380

Device info

  • Device: SM-M145F
  • OS Version: Android 14 - One UI 6.1
  • KernelSU Version: 11928
  • Kernel Version: 5.15.123

Additional context

No response

I was able to dump the log files related to this incident using Magisk (from /data/adb/ksu/log:

log_m14_ksu.zip

edit : I was not able to find anything important in these logs. Maybe these issues are related to the manager itself?

edit 2: even with SE Linux permissive mode, the problem still exists which means this is related to manager or One UI itself :

Screenshot_20240927_001242_KernelSU

Quick update: After wasting over 5-10 hours in the debugging process, I finally managed to identify why this happens and found a workaround to fix the issue.

I always thought there was something wrong with my device, but all of my efforts were in vain after I realized the issue is with KernelSU itself.

According to the issues created in this repo, I found the exact same issue as mine, stating that this problem started occurring after v0.9.2.

So, I downgraded my KSU version to v0.9.2 and tested it again.

Voila, it worked!

Hope you guys fix this issue ASAP.

Screenshot_20240927_021402_KernelSU

Is your terminal a 32-bit application?

Is your terminal a 32-bit application?

maybe. btw this issue happened with half of my root related apps, even with the root explorer. Only shizuku and log fox worked in my scene :(

32 bit apps can't use su after v0.9.2.

try this one: https://github.com/tiann/KernelSU/actions/runs/10977394262?pr=2084

I did everything correctly. But, the problem still exists 😢

1
2

32 bit apps can't use su after v0.9.2.

Even I can't execute 'su' in ADB shell 🥲

try this one: https://github.com/tiann/KernelSU/actions/runs/10977394262?pr=2084

bootloop with those CI builds

Your KMI is android13-5.15 while tiann provided android14-5.15. Try this https://github.com/tiann/KernelSU/actions/runs/10977394263?pr=2084

try this one: https://github.com/tiann/KernelSU/actions/runs/10977394262?pr=2084

I did everything correctly. But, the problem still exists 😢

1 2

Root Explorer downloaded from https://rootexplorer.co/ cannot reproduce your problem

try this one: https://github.com/tiann/KernelSU/actions/runs/10977394262?pr=2084

bootloop with those CI builds

Your KMI is android13-5.15 while tiann provided android14-5.15. Try this https://github.com/tiann/KernelSU/actions/runs/10977394263?pr=2084

It booted, but it didn't fix any of my issues.

01. su in any terminal application is always broken :
image

02. Still 32 bit applications unable to get root access + flashing an upstreamed kernel broke some features in my phone like graphics and battery statistics

Screenshot_20240929_003505_Root Explorer

try this one: https://github.com/tiann/KernelSU/actions/runs/10977394262?pr=2084

bootloop with those CI builds

Your KMI is android13-5.15 while tiann provided android14-5.15. Try this https://github.com/tiann/KernelSU/actions/runs/10977394263?pr=2084

It booted, but it didn't fix any of my issues.

01. su in any terminal application is always broken : image

02. Still 32 bit applications unable to get root access + flashing an upstreamed kernel broke some features in my phone like graphics and battery statistics

Screenshot_20240929_003505_Root Explorer

Run strace which su in adb shell and upload the output

try this one: https://github.com/tiann/KernelSU/actions/runs/10977394262?pr=2084

bootloop with those CI builds

Your KMI is android13-5.15 while tiann provided android14-5.15. Try this https://github.com/tiann/KernelSU/actions/runs/10977394263?pr=2084

It booted, but it didn't fix any of my issues.
01. su in any terminal application is always broken : image
02. Still 32 bit applications unable to get root access + flashing an upstreamed kernel broke some features in my phone like graphics and battery statistics
Screenshot_20240929_003505_Root Explorer

Run strace which su in adb shell and upload the output

Mmm. I locked the BL. I can only test this again after 2 months due to my exams. Hope someone will provide the necessary logs reguarding this issue, or don't close this issue as completed :)