hi. i can't believe i'm the first person to ask this but i've searched as best i can through these forums, and on google, and cannot find a definitive answer. there are lots of pages giving high level descriptions of rooting a phone like "gives admin access", "allows access to the root filesystem", etc. but, when you root a phone, what actually happens ? does it simply make the "su" binary available so that apps can call it to access the root user ? eg. i've got a samsung galaxy s2, if i install an insecure kernel, then add su to /system/xbin, and then reinstall a stock kernel, is that technically a rooted phone ? this is actually what i did on my phone, although i installed superuser and busybox from the market after adding su. i am aware that there are various threads in the sgs2 forums on how to root, i'm just using my phone as an example, i'm just trying to understand generically what is meant when someone says a phone has been rooted. cheers.
Full control over your system
Ability to alter system files. You can replace many parts of the "Android Core" with this including:
Themes
Core apps (maps, calendar, clock etc)
Recovery image
Bootloader
Toolbox (linux binary that lets you execute simple linux commands like "ls") can be replaced with Busybox (slightly better option)
Boot images
Add linux binaries
Run special apps that need more control over the system
SuperUser (lets you approve or deny the use of root access to any program)
Task Manager For Root (Lets you kill apps that you otherwise could not kill)
Tether apps (like the one found at [android-wifi-tether.googlecode.com])
<there are more but I cannot think of any right now>
Backup your system
You can make a folder on your sdcard and backup all of your .apk files to your sdcard (helps if an author decides to "upgrade" you to a version that requires you to pay to use the version you just had)
Relocate your (browser/maps/market) cache to your /sdcard
Relocate your installed applications to your /sdcard
Reboot your phone from the terminal app easily (su <enter> reboot <enter>)
Copied and pasted from google... it is your friend.
thanks for the response however, i'm trying to understand what actually changes on the phone when you root it, rather than simply the benefits of rooting a phone.
Carrot Cruncher said:
thanks for the response however, i'm trying to understand what actually changes on the phone when you root it, rather than simply the benefits of rooting a phone.
Click to expand...
Click to collapse
Unrooted phone is like logging on as user in a computer. By rooting you have "administrative" rights, just like using sudo command in Ubuntu. Some binaries which are important in gaining administrative rights are installed in the phone.
sent from my nokia 3210
If you come from Windows, you're familiar with the Administrator account. A user that can do everything on the system, as opposed to other users than only have limited privileges. In Linux, that account is called "root". That's all there is to it. It's a user that can do everything on the system.
@Panos_dm: Actually, it's *not* like using sudo. Sudo gives elevated privileges to your existing user account, whereas "root" is a whole separate account.
Nope, sudo actually switches users
i'm a linux user and have been a linux admin in the past so understand the difference between su and sudo. sorry to sound pedantic but i'm still not clear on exactly what happens when you root a phone, i.e. what exactly happens during the rooting process ?
It opens your phone to a whole new array of possibilities.
Sent from my HTC Sensation 4G using xda premium
Carrot Cruncher said:
but i'm still not clear on exactly what happens when you root a phone, i.e. what exactly happens during the rooting process ?
Click to expand...
Click to collapse
In a gist? The "su" binary and the Superuser.apk app get installed. Sometimes doing so requires exploiting a vulnerability via a trigger. Rageagainstthecage is a common trigger. I once had a link that explained what exactly rageagainstthecage does, but I don't have it anymore.
If you really want to know all the details, here's the script I used to root my Defy: http://pastebin.com/G3m9v4FQ
Hmm, I see the script contains a link to the explanation of what rageagainstthecage does. Cool.
many thanks for confirming my understanding of the process.
Related
Hello XDA-Forum users,
I ask you a question: How does Android Root works ?
I mean, for example, How does it works in Nexus One ?
This would be an understanding question to know more about how I get root from my Phone (Nexus One, for example) from scratch, from sources.
upupupupupup
Rooting basics:
http://lifehacker.com/5342237/five-great-reasons-to-root-your-android-phone
For details on how to do it on your device, Google or use the forum search. Lots of rooting information that is device dependent out there.
It basically gives your phone permission to do almost anything. It is similar to giving a user in Windows Administrator rights. It is called super user. You can do many things such as removing unwanted apps and overclocking.
This is not what I mean, I asks for an explaining in which the question is "How the root is possible? What active the root ?" Probably a kernel exploit, or stuff like that, to understand the underground passage to take it, from an hack view.
So, How works a root utility (such SuperOneClick) to set gid to 0 ?
Valid question, I am also interested in learning this.
In other words, if I were to perform the rooting manually, where can I find such info?
And some of the question is why su must be in some diredctories, and can't be run from /data/local/tmp for example?
Someone can enlighten us?
diego.stamigni said:
Someone can enlighten us?
Click to expand...
Click to collapse
The general approach is taking advantage of bugs in the android OS
The process works something like this
User crafts some special data that contains a "payload" (the script/executable that we want to run)
User runs a system process that has root privileges and gets it to open the special data
The bug causes the system process to get confused by the data, and ends up running the embedded script
The embedded script runs with the same privileges as the system process, and thus can stuff that normal users aren't allowed to do (e.g. installs the SU app)
Commonly, things such as buffer overflows are used
So after gaining root access, which apps can run as root?
Or the user becomes root(as in desktop), and can run all types of apps?
Can root app(run as root) access everything?? Or app permission still applies?
Is it that system exploit is always used to run root apps?
can someone explain in technical details? not how to root.
are rooting programs open source??
What is the root procedure
Bayint Naung said:
So after gaining root access, which apps can run as root?
Or the user becomes root(as in desktop), and can run all types of apps?
Can root app(run as root) access everything?? Or app permission still applies?
Is it that system exploit is always used to run root apps?
can someone explain in technical details? not how to root.
are rooting programs open source??
Click to expand...
Click to collapse
Hi guys!
I have the same question and after searching and asking find this!
it is good!!
hope it works!
http://stackoverflow.com/questions/...hat-are-the-pre-requisites-for-it-to-work-wha
also look at the suggestedpages at the right of this page!
I installed Z4 mod and ran it and it says my g-tab is rooted. I have read that custom ROMS are pre-rooted. In my limited linux experience - being root gives you total control over the machine. I ran Terminal Emulator and cd / to get me to the top of the file structure. I tried to mkdir test and I was denied because the file system is read only. Next I went into the system folder because a lot of stuff in there looks familiar. I again tried mkdir test and was denied because the file system is read only. It would seem that to be root I would need a password and Z4 didn't offer to give me one or let me set it. Thinking further, I wonder if the file system is mounted for read only and that is why I can't create a new directory. When I am running the rom (Vegan) I can write there (understanding that I am writing to the sdcard that is mounted - presumably with RW access. So, what is all this rooting talk about then? What is the purpose of being root if you still do not have access to the file system?
You need Superuser.apk, as well. Think of Superuser as similar to Windows UAC, and rooting as making yourself an administrator. Even though you have root (admin) access, UAC (Supeuser.apk) still needs to let you through.
You also need "root aware" apps. Perfect example is Titanium Backup and that's usually my "litmus test" for verifying if I really have root or not on a device.
yup, in my limited rooting experience (droid1 and gtablet), after the process, there was always a new icon in the app tray entitled "superuser". i didnt have to install it separately, it showed up after the rooting process. if you don't have the superuser app, im betting the root process was unsuccessful.
my memory tells me i had some problems with z4root rooting my tablet, and i had to do it a few times before it actually worked. that was back in december tho, so i dont know if the current version of z4 is different than the one i used, and if so, if kinks were worked out...
so yeah, i probably helped none.
I always though z4root and Superuser were kind of a package deal.
I use them on my Cowon D3, as Cowon completely locks down their recovery process. boo to that.
rodzero,
With z4root you install it first. Then, you install a file manager program like "Root
Explorer" and when it comes up you click to "Allow" it. After that, you can go in
through Root Explorer and create and change R/O to R/W as needed. Same same
with Titanium Backup, once you have "allowed" it you can do what you need
to with the program.
Rev
More Investigation.
Thanks for the fast responses! I do have Superuser installed and it pops up from time to time when an app wants su access. Using terminal emulator, I worked my way into and what do I find but su! I ran su and got was granted su rights in the terminal. I felt pretty smug so I headed into the etc folder thinking I would make a simple change to the hosts file just to see if I could do it. I'm used to using nano in Ubuntu but no nano here. I tried vi (which I really don't know how to use) and I got some strange display but I don't think it was an editor. So, for the sake of closing the loop - if I wanted to edit the hosts file and add a new host - how would I do it. The Terminal Emulator now seems to be in the list to be granted su whenever I type it in. I know how to move around the file system. What kind of text editor would I invoke to actually alter the file? OK.... I went and downloaded TED and worked my way back to the hosts file, added a line but TED doesn't have su rights to save the file. So it looks like su exists but I don't see how to run an app in su mode except for terminal where I can invoke it by a text command. What's the missing piece to get TED to ask for su access?
Just a guess, but TED need to ask for elevation of privileges. It's probably an app issue.
I'm sure the answer to this question is somewhere there, but I cannot find it. There is plenty of information on how to root your phone or tablet, but not on how the root works on Android.
When I work on my Linux box I usually use a "normal", limited user. Only when I need to install something, I switch to superuser, or root, using "su" or "sudo".What happens on a rooted Android? Do all apps run with root privileges all the time? Or rather some sort of "su" command is unlocked, and an app can access it when required. Can I give and revoke superuser powers to an app?
It is always safer to run all programs or apps with limited privileges, so when they misbehave, the risk to system integrity is minimal. If everything runs in root mode, it might just spectacularly crash one day.
In this context, how does adaway work? Does it start with the system, sitting in the background and using its root privileges to intercept and filter incoming HTTP packages? If I understand this correctly, it should then work with any browser?
Sorry for asking several questions in one topic, but I'd appreciate if someone could briefly explain the whole thing.
There is a superuser app, which seems to be doing the same job as gksu does on a linux desktop. Apps can request root, you can allow/deny. If you use the shell, su works as normal (just no password) - but connectbot needs to be given root privileges in order for this to succeed.
So there are two populair methods of rooting the galaxy s3:
- The Samsung galaxy s3 toolkit
- Chainfire's CF-ROOT
My questions are as follows:
What are the technical differences between the two rooting methods?
Do the methods have any drawbacks? (cf-root for example is incompatible with rommanager)
disclaimer:
I am not interested in what you think is the best method, I want to know the technical differences between the two methods used.
I know that the toolkit itself is not a rooting method, it does however include 4 different methods you can use, I am referring to those.
The toolkit uses cfroot I think. Not sure if it's as up to date as the latest cfroot via Odin. They both work well enough. There is no other method I know of. And I haven't had any drawbacks.
That's all I can say really
Sent from my GT-I9300 using xda premium
Also The toolkit uses Odin too. It has other options and clear instructions. Drivers. Modems etc so this would be the best option for an casual user.
Latest cfroot via Odin is probably your best option if u know what your doing
But it's up to you mate, it doesn't really need analyzing so deeply...
Sent from my GT-I9300 using xda premium
slking1989 said:
But it's up to you mate, it doesn't really need analyzing so deeply...
Click to expand...
Click to collapse
Well it is personal but I like to know or at least have a general idea of what I am doing to my phone. So yes it does
Tnx for the reply
Anyone else who can give me some more insight?
Unfortunately I don't have an answer for you, but I also am interested in the answer to your question..
I think certain methods of rooting use SuperSU (is this the CF one?) and then another method uses Superuser. I think both install busybox (that seems to be the same?)
In my experience, using the Superuser.apk app was faster than SuperSU..
I don't even have the Busybox app installed (but I am sure my phone has busybox, so this also confuses me??)
CF root gets the job done in 20-25 seconds. It installs superSU, busybox and cwm recovery. I would allways recommend rooting with CF Root over the Toolkit.
But that`s my opinion off course
gee2012 said:
CF root gets the job done in 20-25 seconds. It installs superSU, busybox and cwm recovery. I would allways recommend rooting with CF Root over the Toolkit.
But that`s my opinion off course
Click to expand...
Click to collapse
Yes go with the CFroot if u just want to root ur phone.
Sent from my GT-I9300 using Tapatalk 2
'K, I'll bite. I'm not going to give an overall recommendation - at the end of day, they both install an APK and put a new binary in /system/xbin.
Note: I used CF-Root to root my phone. When I talk about how the the toolkit does what it does, I'm basing my words on this image. I've seen the things in that image before, even though I haven't used the toolkit. This also means that my toolkit observations may not be entirely accurate but it's a batch script, anyway; you can just read through it and find out how it works. I'm also primarily a Windows user, but I used to use GNU/Linux quite a bit to write programs for a phone that I once had.
Rooting is, when broken down, the installation of a "su" binary installed to /system/xbin, that is owned by root and carries the setuid flag. This flag is important as the Linux kernel will then run the process whenever it's invoked as the person who owns it, root. This process can then, in turn, start other programs and they inherit the user ID (something like this - I'm taking my time reading TLPI...) so they are then running as root. There's also a "manager" app (Superuser or SuperSU) that will be installed; this app is talked to by the su binary (through the Android Binder AFAIK, though Superuser's source is available so if you really wanted to find out you could read that) to see, for example, if the program that is invoking "su" is allowed to do so. CF-Root installs the SuperSU apk to /system/app, which means that it survives factory resets. The toolkit, from a quick look at the Superuser ZIP in its folder and its batch file, also installs the Superuser apk to /system/app. When sideloading apps or installing from the Google Play Store, they usually get installed to /data/app.
Not all "su" implementations for Android need a manager app, I've seen implementations where su does not place restrictions on who is allowed to run it; uid=0 for everyone without discrimination! (Yes, that also includes you, Super Smilies Pack 3000 with boob smilies) Thankfully, neither the toolkit nor CF-Root do this. I lie a little. Superuser's su binary will automatically reject any request to become root if the Superuser.apk is not installed but SuperSU's su binary will automatically accept all requests to become root if the SuperSU apk is not installed. Personally, I prefer SuperSU's behaviour as there have been too many times with my old phones where I'd have to sign into Google Play after wiping /data just to install the Superuser APK when all I wanted was to run a simple command.
ext* filesystems along with other *NIX filesystems have the concept of file permissions, a concept shared by other *NIX filesystems. In order to actually place this su binary owned by root into a folder owned by root, you need to be root. (Actually, the folder is also owned by the shell group so a user which is a member of that group could do it too, but they wouldn't be able to set the all-important setuid flag as they're not the user root [perhaps a member of group root could do it but I don't know]) Usually, exploits in other programs running/can run as root or in the kernel are searched for so that you can temporarily root in order to install the su binary correctly. The GSIII (with the exception of Verizon's) has an unlocked bootloader, though, so programmers don't need to search for any of these: it's able to flash unofficial, unsigned recoveries and kernels.
CF-Root does this:
* it flashes a new CWM-based recovery in the recovery partition of the phone. If you've seen the stock Android recovery, you'll know that it just can't match the features of CWM. The important thing about CWM is that it runs as root, just like the stock recovery, but it also lets you place any file anywhere on the phone without requiring that the the ZIP file containing the files are not signed with a Samsung private key. Remember what I said about file permissions?
* there's also a param.bin file. I don't know anything about this file, but I suspect it's flashed to get the phone to boot up into recovery mode the next time it's started so that CWM runs before anything else
* it also flashes the cache partition (I'm not sure whether it overwrites or appends as I don't know how [and probably never will] know how ODIN works with two ZIP files: SuperSU, which contains the su binary, the SuperSU apk and a script that is run by CWM to set the required permissions on the su binary among other things, and the CWM app which lets you tell the recovery what actions you want it to perform in Android without having to navigate through the awkward interface of CWM itself. While I don't know how to do this myself, CWM recovery can be told to automatically run commands from an external source. I'm not talking about random websites on the Internet, but (I think) through files that have to be placed somewhere by root. This is what apps like the CWM app and ROM Manager do. This is also what CF-Root does to tell the recovery that the next time it's booted that it should install both the CWM ZIP and SuperSU ZIP. That's it in the case of CF-Root: you now have a phone with the two files required for root access, and a CWM recovery and an app to control it.
The toolkit:
(I only talk about the "insecure boot" options as I imagine the recovery option does something similar to the above and do remember that I haven't used the toolkit to root my phone so some assumptions are made. I also assume you know what ADB is as I won't be explaining it)
* it gets you to flash a kernel image with a patched adbd that runs as root, so adb on your computer, in turn, is able to place files anywhere on the phone's /. File permissions make it so you can't just place adbd in its expected place (/sbin) as any user and /sbin is also mounted on a ramdisk part of the flashable kernel image so it would be replaced on the next reboot, anyway.
* When the phone is running again with the new kernel, it then tells adb (now running as root) to push the Superuser APK and the su binary into their rightful place and sets the correct permisions on the su binary so that it runs as root
* if you've told it to install busybox, busybox is pushed and a bunch of symlinks for all the applets that BusyBox supports are set up
CF-Root installs, naturally, Chainfire's SuperSu whereas the toolkit installs Superuser. I much prefer SuperSU (and I bought a pro license for Superuser long before I did for SuperSu). Superuser's interface is much better than SuperSU's and it's also open-source but I find that SuperSU works much quicker for me (Root Explorer actually popped up a message on my sister's freshly-flashed Xperia Arc S saying that Superuser can be slow if Superuser hasn't granted it root access quick enough - I've never encountered that on my Huawei U8800pro with SuperSU which has pretty much the same specs as the Xperia) and it can also log the commands an app is running as root if you're suspicious of an application.
You'll notice that ADB still runs as a normal user with CF-Root. You can use Chainfire's adbd Insecure app which will replace /sbin/adbd everytime the phone is started with his patched adbd which always runs as root, or you can just flash one of the many kernels available that already include a patched /sbin/adbd.
CF-Root also does not install BusyBox. You can grab one of the installers from the Play Store but what I do personally is kang a CM9 nightly build for the I9300 and take the META-INF folder and the /system/xbin/busybox binary and strip out most of the lines in the update-script leaving only the lines that mount, extract and create the symlinks for busybox and place the result in a new ZIP which is then flashed with CWM.
Your "cf-root for example is incompatible with rommanager" gripe is easily solved - just flash another recovery. CF-Root just packages a CWM Recovery, an app to control CWM and SuperSU. CF-Root itself is not a resident component, but the recovery and SuperSU etc. are, if that makes sense.
qwerty12 said:
A long story with a lot of interesting and valuable information
Click to expand...
Click to collapse
Tnx! This is precisely what I have been looking for! A lot of the information I already found in seperate pieces but this made it click in my head. I used cf-root to root the phone and am currently deciding if I want to work with the included tools and cwm recovery or flash CWM touch
I got a busybox installer from the market and it works like a charm (Well Titanium backup seems to do its job anyway).
I must say I think was over analyzing this a bit since I owned a HTC desire before this phone where rooting has a lot more risks involved and a lot more steps.
The only advantage i can see to using toolkit is it will get updated quicker and it has loads of other options. If you just want to Root and flash a Rom cf root is way to go
Sent from my GT-I9300 using xda app-developers app
creesch said:
Tnx! This is precisely what I have been looking for! A lot of the information I already found in seperate pieces but this made it click in my head. I used cf-root to root the phone and am currently deciding if I want to work with the included tools and cwm recovery or flash CWM touch
Click to expand...
Click to collapse
Glad it helped
I must say I think was over analyzing this a bit since I owned a HTC desire before this phone where rooting has a lot more risks involved and a lot more steps.
Click to expand...
Click to collapse
Yeah, HTC's locked bootloaders and the S-ON/S-OFF rubbish is one of the reasons I decided to skip the One X and go for the Galaxy S3.
creesch said:
I must say I think was over analyzing this a bit since I owned a HTC desire before this phone where rooting has a lot more risks involved and a lot more steps.
Click to expand...
Click to collapse
Its fair to say that unlike many people on this forum you did your research. Searched.. and asked a valid question. Whereas the majority of people just ask questions without being bothered to figure it out themselves. So thanks. Over analyzing? Maybe a little... but its better than flashing any old thing like many other have done and continue to do. Big thanks to qwerty who has filled me in on some useful info also.
Sent from my GT-I9300 using xda premium
You should have thanked him tho maaan
Sent from my GT-I9300 using xda premium
creesch said:
Tnx! This is precisely what I have been looking for! A lot of the information I already found in seperate pieces but this made it click in my head. I used cf-root to root the phone and am currently deciding if I want to work with the included tools and cwm recovery or flash CWM touch
I got a busybox installer from the market and it works like a charm (Well Titanium backup seems to do its job anyway).
I must say I think was over analyzing this a bit since I owned a HTC desire before this phone where rooting has a lot more risks involved and a lot more steps.
Click to expand...
Click to collapse
Stick with 5.x.x.x recovery, touch(6.x.x.x) has some instability issues afaik
Sent from my GT-I9300 using xda premium
slaphead20 said:
Stick with 5.x.x.x recovery, touch(6.x.x.x) has some instability issues afaik
Sent from my GT-I9300 using xda premium
Click to expand...
Click to collapse
Alright well since it was only the touch aspect that made me consider it i'll leave it just like it is
Hey guys
Hey guys i have the internationa galaxy s3 running 4.1.2, i haven't done anything to my phone yet and im about to root it is the boot loader unlcoked and if not how do i unlock it :good:, could someone please help me:crying::crying: and give me clear instructions and links please :fingers-crossed: thanks you so much,
BTw i know this is the wrong thread but i cant find the right one, thanks alot guys
regards nick
I have just updated my Prime and I did not have rooted it with ICS. Is possible to root JB without previous rooting?
No. You must back up root using OTA Rootkeeper in order to regain root in JB. There is no known exploit for JB yet.
without restoring root with ota rootkeeper, try http://matthill.eu/mobile/root-trans...lybean-update/ and follow the instructions, follow the links for the files you need
tonesy said:
without restoring root with ota rootkeeper, try http://matthill.eu/mobile/root-trans...lybean-update/ and follow the instructions, follow the links for the files you need
Click to expand...
Click to collapse
lol, must be a joke.... dead link.
I have been actively pursuing this. Without bootloader unlock i dont beleive so.
If you Unlock the Bootloader or already have an Unlocked Bootloader, you can get root.
I haven't seen any exploits posted for the Prime in JB yet, so this may be your only way for now.
hx4700 Killer said:
lol, must be a joke.... dead link.
I have been actively pursuing this. Without bootloader unlock i dont beleive so.
Click to expand...
Click to collapse
He posted a bad link but doesnt work if you have no root access at all. This is just a "regain root if you have partial root" guide:
http://matthill.eu/?s=jelly+bean
Thread moved
Thread moved. This is clearly belonging into Q&A. Please post in correct Sub-Forum.
peace
jotha - forum moderator
Does any one know if one person with development capabilty is trying to find a way to root JB ?
I talked to bin4ry about his root method in hopes of working with him on modifications for the prime but he is telling me his mod is making the change he is exploiting according to what I am seeing but possibly ASUS disabled the emulator mode in this version of the OS. This is what would give you root access via ADB so changes can be made.
I couldnt get out of him what exactly his "restore timing exploit" is but I understand everthing after that
Outside of anything coming up I would say if you must have it now and don't mind voiding your warranty then use the unlocker tool and follow one of many guides on here to do it from an unlocked device.
Perhaps we can turn this thread into, or possibly start a new one about the different things people(devs and/or the technically savy) are finding in the quest for an exploit...
We could start with a list of what is known. Of particular interest would be the differences between the complete stock (me btw), was rooted but lost it, was rooted and kept it, and of course anybody who has managed to root it by messing around but not taken notes along the way.
here's what I have found.
from the PC, creating an adb shell allows me to ls /data/local/tmp/ but from a tablet's terminal emulator (shell?) I cant.
Typing id from both it becomes obvious why
From adb shell I get
Code:
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009
(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt)
,3003(inet),3006(net_bw_stats)
from the tablet I get
Code:
uid=10126(u0_a126) gid=10126(u0_a126) groups=1015(sdcard_rw), 1028(sdcard_r),
3003(inet)
I was getting excited last night (burnt the midnight oil) trying what I thought might be a possible exploit with an android supplied command called "run-as". Its limitaions became obvious when I looked at the source code for it. You need an application pakage that is debugable and it cd's to its directory to run the command and a bunch of other things, so I compiled it on C4droid using just the main functions setresuid() and setresgid() but they both failed no matter what value was plugged into them based on UID and GID found here
http://forum.xda-developers.com/showthread.php?t=442557
I have yet to exhaust this avenue. I might be able to create an empty package and sign it as a system app, make it debugable and see what that yeilds but its looking like a convoluted process, espicially considering that run as may not work as intended on prime's JB
PS I want to state that I know precious little about linux and even less about the android layer above it...
Just as an FYI the way bin4rys tool is supposed to work is an exploit in which it makes a symlink to /data/local.prop and injects ro.kernel.qemu=1 in to local.prop then reboots.
This is supposed to put the device in emulator mode and when you connect with adb shell you get a root shell prompt. All the rest is fairly straightforward/standard. Remount file system as RW, install SU and superuser.apk with their permissions set properly in the proper places then break the symlink to local.prop and reboot.
What would help a lot is if someone who is already rooted can make the attempt, set qemu = 1 in the relinked local.prop then adb shell connect to see if you get a root prompt. Trying to confirm that emulator mode is enabled and you get root access as shell to see if this is even worth pursuing.
I would just use the unlocker tool but I am 2 weeks in to ownership of a new unit.
yes I have seen that typing adb root gives the message
Code:
adbd cannot run as root in production builds
it would indeed be interesting to see if changing "qemu" flags it as a non-production build. My sgs is rooted with CM10 nightlies might try toggling the value on that and see what adb says
Run-as
abazz said:
I was getting excited last night (burnt the midnight oil) trying what I thought might be a possible exploit with an android supplied command called "run-as". Its limitaions became obvious when I looked at the source code for it. You need an application pakage that is debugable and it cd's to its directory to run the command and a bunch of other things, so I compiled it on C4droid using just the main functions setresuid() and setresgid() but they both failed no matter what value was plugged into them based on UID and GID found here
http://forum.xda-developers.com/showthread.php?t=442557
Click to expand...
Click to collapse
Yes. I noticed the permissions on that file as well. I'm not an android person, so I don't know how that end works, but the permissions do look correct (setuid root, and runnable as group shell [which we get via adb, but not locally on terminal].
Based on the little bit that I have read, it seems that it may be getting the permissions assigned to the apk and running the command line with those permissions.
If that is correct, then running it via something with c4droid probably won't work, as it's permissions are whatever group it (c4droid?) was assigned at install.
So, how do does one / can one specify that the package is supposed to be root (uid 0). I'd guess (from a standard UNIX security perspective) that you can't just push arbitrary apps to the machine with 'run me as root' permissions. Otherwise, this would be a completely non-issue. But, is there a package which is pre-installed that we can exploit the permissions of to do this? I don't know yet.
Also, if my readings / assumptions were correct above, we probably don't want to do a setreuid(), but rather call bash/busybox as the 'command' issued in the name of the apk (since it would then run as root, or the uid of the package). Either that, or a system command(s) to chown/chmod the su binary that we can upload via adb (but which comes in as shell.shell).
Did you find the source for run-as somewhere? It would be interesting to look at to see if such a thing is possible. Failing that, it would be interesting to see if there were any sorts of buffer overflows that could be run against it. I've never tried such on arm7, but I've done it under UNIX on x86 and Sparc.
Thanks
Schemm
elschemm said:
Yes. I noticed the permissions on that file as well. I'm not an android person, so I don't know how that end works, but the permissions do look correct (setuid root, and runnable as group shell [which we get via adb, but not locally on terminal].
Based on the little bit that I have read, it seems that it may be getting the permissions assigned to the apk and running the command line with those permissions.
If that is correct, then running it via something with c4droid probably won't work, as it's permissions are whatever group it (c4droid?) was assigned at install.
Click to expand...
Click to collapse
Yes you are correct. setresuid() function will not give you permissions greater than the process its running in
So, how do does one / can one specify that the package is supposed to be root (uid 0). I'd guess (from a standard UNIX security perspective) that you can't just push arbitrary apps to the machine with 'run me as root' permissions. Otherwise, this would be a completely non-issue. But, is there a package which is pre-installed that we can exploit the permissions of to do this? I don't know yet.
Click to expand...
Click to collapse
Its worse than that, the package also has to be debuggable
There is some info out there on how to sing a package with the appropriate system permissions so it would be interesting to actually do this and see what, if anything can be done.
I downloaded the asus unlock package and passed it through the apk tool to see what it does, as it obviously would need root access. As root access is all i require the code it shows is irrelevant really, its the fact that it gains root access with its signature and also the uid that is set in the manifest android.sharedUserID="adroid.uid.system". This and, most importantly android.permission.MOUNT_UNMOUNT_FILESYSTEMS. WIthoput these things we cant change anything in the directories we need
Also, if my readings / assumptions were correct above, we probably don't want to do a setreuid(), but rather call bash/busybox as the 'command' issued in the name of the apk (since it would then run as root, or the uid of the package). Either that, or a system command(s) to chown/chmod the su binary that we can upload via adb (but which comes in as shell.shell).
Click to expand...
Click to collapse
Yes thats what we would do from the run-as command. What I was attempting to see was if I could get a root uid by creating a c program that uses the setresuid() function call thereby bypassing the need to have an appropriate package installed. As it didn't work I'm having dounts whether it would work even if the right package was there. run-as did make reference to package.h which I haven't looked at, so unless there are some system parameters that package.c extracts from the apk I dont really see how this will work...
Did you find the source for run-as somewhere? It would be interesting to look at to see if such a thing is possible. Failing that, it would be interesting to see if there were any sorts of buffer overflows that could be run against it. I've never tried such on arm7, but I've done it under UNIX on x86 and Sparc.
Thanks
Schemm
Click to expand...
Click to collapse
Yeah found the source here
I also searched for linux exploits, there are massive lists of them, most of them patched by now but I assume the linux base in JB would be somewhat different to whats getting around on X86 systems
On anather note I have tried bin4ry's "root many" method , using the restore timing exploit but had no luck.
HX... I looked through the scripts and all the misc files in bin4ry's zip package and could not find anything remotely indicating an injection of the qemu value. It make a symbolic link to the build.prop in com.android.settings...../file99, which was succesfull after pressing restore but thats about it. perhaps I should fire up ubuntu and try the linux script instead of the windows .bat file
Interestingly, this guys root method for the Razr M makes use of Run-as if you look at the batch file.
He is essentially doing a "fake package" install then runs an exe that is some sort of exploit. Finally he uses run-as against what I have to assume is the bug report feature of the droid and asks you to trigger a bug report with a button sequence.
So it seems he is getting something that has root privileges (bug report) to do something that grants SU and also implimenting run-as
http://forum.xda-developers.com/showthread.php?p=32889627#post32889627
I fear that remained a few developers interested in finding a way to root transformer prime with jelly bean, because all of them had tablet already rooted with ics and managed in mantaining rooting across upgrade.