hello,
sorry if this isn't the right place to ask this question, and please redirect me, this is a fairly huge site.
I know this question has been asked many times, but I didn't see a clear answer to it from security experts, or it is from several years ago and things might have changed.
My question is double:
first of all, nowadays, how does the process of rooting an android phone work (please detail if there are various alternatives) ? Does it rely on a security hole, or is it a kind of attack (such as physical access to the device) that is not part of the security perimeter of android ? In the first case, why is it that it's not fixed, as there are open bounties for the android system ? Note that I'm just talking about the android system itself (such as a Nexus Phone), with the latest patches.
Second related question: What would be the security risk of rooting an android phone ? If I am not mistaken, these could be grouped in at least two issues: the rooting process itself, and the aftermath.
a. Regarding the rooting process, is there any open source procedure (or at least closely reviewed) to root a nexus phone that could guarantee that there's no malware installed in the process ? (see also first question)
b. From what I understand, having a rooted android is no different than having a linux OS with a root account. Are there any (free, open source?) apps that can monitor (what commands have been launched, etc) and prevent apps from getting access to the root account without my agreement ? (so that it is linux OS where any account that requires root privileges must go through 'sudo' and ask the user to enter their password).
Please tell me if I'm asking in the wrong part of the site.
Related
Hello XDA-Forum users,
I ask you a question: How does Android Root works ?
I mean, for example, How does it works in Nexus One ?
This would be an understanding question to know more about how I get root from my Phone (Nexus One, for example) from scratch, from sources.
upupupupupup
Rooting basics:
http://lifehacker.com/5342237/five-great-reasons-to-root-your-android-phone
For details on how to do it on your device, Google or use the forum search. Lots of rooting information that is device dependent out there.
It basically gives your phone permission to do almost anything. It is similar to giving a user in Windows Administrator rights. It is called super user. You can do many things such as removing unwanted apps and overclocking.
This is not what I mean, I asks for an explaining in which the question is "How the root is possible? What active the root ?" Probably a kernel exploit, or stuff like that, to understand the underground passage to take it, from an hack view.
So, How works a root utility (such SuperOneClick) to set gid to 0 ?
Valid question, I am also interested in learning this.
In other words, if I were to perform the rooting manually, where can I find such info?
And some of the question is why su must be in some diredctories, and can't be run from /data/local/tmp for example?
Someone can enlighten us?
diego.stamigni said:
Someone can enlighten us?
Click to expand...
Click to collapse
The general approach is taking advantage of bugs in the android OS
The process works something like this
User crafts some special data that contains a "payload" (the script/executable that we want to run)
User runs a system process that has root privileges and gets it to open the special data
The bug causes the system process to get confused by the data, and ends up running the embedded script
The embedded script runs with the same privileges as the system process, and thus can stuff that normal users aren't allowed to do (e.g. installs the SU app)
Commonly, things such as buffer overflows are used
So after gaining root access, which apps can run as root?
Or the user becomes root(as in desktop), and can run all types of apps?
Can root app(run as root) access everything?? Or app permission still applies?
Is it that system exploit is always used to run root apps?
can someone explain in technical details? not how to root.
are rooting programs open source??
What is the root procedure
Bayint Naung said:
So after gaining root access, which apps can run as root?
Or the user becomes root(as in desktop), and can run all types of apps?
Can root app(run as root) access everything?? Or app permission still applies?
Is it that system exploit is always used to run root apps?
can someone explain in technical details? not how to root.
are rooting programs open source??
Click to expand...
Click to collapse
Hi guys!
I have the same question and after searching and asking find this!
it is good!!
hope it works!
http://stackoverflow.com/questions/...hat-are-the-pre-requisites-for-it-to-work-wha
also look at the suggestedpages at the right of this page!
Hello everybody.
This is my first post, and while I am noob at XDA-Developers, I have spent more than 10 years writing and reading in forums, and I know what has to be done before writing on them. And I did. I have a couple of questions that I think they are not easy to answer. Indeed, I spent 8 hours yesterday searching through the interwebs and this forum to try to figure out the most thorough answer. And I think I figured out mine, but I don't know any people that can reinforce my toughts and tell me "Hey Gabriel: you are right, you did well, you are the man: go out for a beer, keep calm and carry on". I will ask the questions first, and later I will explain why I ask such questions, and finally what are the steps I did.
The questions are: How can I remove root from a custom rom, and how can I be sure that I properly did? I know that many of us think that "This is stupid / Why do you want to do such a thing / the power of your phone will... / go to stock / etc". But, any way, I have a deep concern on expanding concepts and knowledge, and I thing that root process, root means and rooted phone securing checklist are not as clear as I would like to find them. And more important: I *have* to remain in a custom rom but I *must not* be root.
So the why's are not the question but, just to add some reasonable context: I have a phone that does not fit my needs with the stock rom, because a hardware component is falling apart and I need a software workaround (YEAH, right LOL: a Nexus One with the power button falling apart and I need to be able to unlock / wake with the trackball; but this thread is Android-wide because it tries to find a deep insight into rooting itself). This software workaround does not work in stock rom when I configure the password / PIN / pattern. And the problem with custom roms is that they run into trouble with certain data-protection aware environments, which do not allow rooted terminals. And more important than all: I have no need at all to be root, at least by now.
So, I spent hours searching, and I figured out that I should remove "su" command and related APK's (ROM Manager, Superuser, ... and some others that I won't need). All by myself and with some posts (I don't remember if they were here or in "HTCMania", a good spanish smartphones board, either) that suggested it.
The exact process I did was to download CyanogenMod 7.2 RC1, check signature & md5 to make sure the zip was what it claimed to be (because later I found that I needed to shut down recovery signature check) open the .zip, remove "/system/xbin/su", install the rom, remove su-related ".apk" with adb, and try to check if it still had any sort of superuser permission scalation. It aparently does not have. I checked /data directory with Root Explorer, I downloaded and ran Root Checker Basic.
The results seem what I expected (and that's the question: they seem, and I don't know if they are): I am running on CyanogenMod, the workaround (wake on trackball) works, the PIN/password works fine with it, and it seems I am not able to gain root access.
But my question are deeper than that: is there any remaining technical mean that could be used to gain root access on my phone? Do I have to get rid of more su-companion tools to be sure and to be "non-root"-compliant? Is there any checklist we should follow to check both if our custom ROM is rooted-but-secure and if our ROM is properly un-rooted? And most important: did I miss / failed to find the correct resource in these forums?
Thanks to every body and congrats for this outrageous boards.
WARNING:I AM NOT THE AUTHOR. I FOUND IT ON ANDROID AUTHORITY AND I FOUND IT GOOD SO I'M SHARING IT! THANX TO THEM
So, you’re new to the Android community. First off, welcome to the wonderful world of customizing your phone! Android’s all about the power to make your phone truly yours and if you dig deep enough, you’ll find a hundred ways to make your phone unlike anyone else’s on the planet. Or, at least, nearly unlike anyone else’s. The more you customize, the slimmer the chance people will have the exact same settings. If you’re a stickler for individuality, you’ve made the right choice by getting an Android. But, the moment you loaded up Android Authority, you already feel overwhelmed by new words.
What’s a ROM? What does root mean? What are all these funny words people keep throwing at each other and what is the meaning of life? We’re kidding on the last one, sort of, but just like any newbie, getting into the world of Android is intimidating. You can still your racing heart and wipe those sweaty palms on your pants because Android Authority’s got your back covered. We’ve put together a list of some of the high-sounding words that newbies frequently encounter and compile the words into some sort of easy-to-digest layperson’s dictionary of rooting terms. Come across a word that you don’t understand? Check out our list, it should be here.
ADB
The acronym for Android Debug Mode. Whenever your Android device is connected to your computer, ADB is the command line tool that helps your computer communicate with your device. ADB is part of the Android Software Developers Kit (SDK) and is often used in root tools, whether or not you’re typing the commands in yourself. Unless the instructions call for installing the SDK and running ADB commands, you won’t need to mess with it.
AOSP
Short for Android Open Source Project, you’re likely to see this in ROM descriptions. AOSP usually indicates that the ROM is based on the Android source code provided by Google itself, and not on some other ROM project or a company’s firmware.
Bloatware
Like it says on the tin, bloatware is software or apps that you don’t need, but come pre-installed to a device’s /system partition. What this also means is that you can’t remove them unless the device has been rooted. Usually, these are apps are sponsored by a company and are included by a carrier for profit. For example, the Photobucket app included on the G2 by T-Mobile is deemed by many to be bloatware, although, arguably, some folks do find the app useful. Bloatware is a subjective thing. Some person’s bloatware is another person’s lifeline.
Bootloader
A number of ROMs require your bootloader to be unlocked, but what in the world is it? The bootloader is the lowest level of software on your phone, running all the codes necessary to start up your operating system. Most bootloaders come locked, which prevents users from rooting their phones. This is because manufacturers want you to use the version of Android they’ve provided. With a locked bootloader on Android phones, you cannot flash custom ROMs. Unlocking your bootloader doesn’t mean rooting your phone, but it does allow you to root and to flash custom ROMs.
Boot loop
When your system re-cycles over and over without entering the main OS, your system is stuck in a boot loop and the phone is said to be boot looping. This may happen if you do not follow instructions. At other times, boot loops are caused by defects in the software code. Usually developers who are aware of this problem include boot loop patches that must be flashed after you flash the custom ROM.
Brick
You’ve probably heard this one a few times. It’s usually the result of tampering with the insides of your device and doing irreversible damage. A brick can be the result of a faulty flash or firmware update, a mod gone wrong, or being struck by lightning. Brick refers to a device that no longer functions, generally caused by a failed firmware or SPL update. Since the device no longer works as intended, it is often referred to as a “brick” or “paper-weight”, since that is all it is good for. Since any modification to the device’s software could potentially brick it, following instructions is very important.
BusyBox
BusyBox is an application that provides a standard set of UNIX tools. The default toolbox provided by Android is limited, so BusyBox is required to allow rooted ROMs or apps to use more advanced UNIX features.
Dalvik cache
Sometimes in flashing ROMs, wiping the Dalvik Cache through Recovery Mode is important, but just what is the Dalvik Cache? The dalvik-cache directory holds all of the pre-compiled *.dex files created from installed apps. These files are static and do not change unless the app is updated.
Deodex
This term is most often seen on a custom ROM’s list of features. When a ROM has been deodexed, it means that its apps have been prepared for modification. Deodexed ROMs have apps that have been repackaged in a certain way. Developers of custom ROMs choose to deodex their ROM packages, since it lets them modify various APKs, and it also makes theming possible after the ROMs have been installed.
Flash
Flashing is the term used to install something on your device, whether it’s a ROM, a kernel, or something else that comes in the form of a flashable ZIP file. It is the process of applying a firmware image or a ROM, to your device and usually entails a very specific order of steps. If you don’t follow instructions, you may end up bricking your device.
Fastboot
Fastboot is a boot menu that you can do stuff from before Android is launched. From this menu, you can choose to boot into Recovery Mode, and more. Fastboot is a protocol used to directly update the flash filesystem in Android devices from a host over USB. It allows flashing of unsigned partition images. It is disabled in almost all production devices since USB support is disabled in the bootloader.
Firmware
A phone’s firmware is basically its operating system. A “firmware update” means that the operating system, the software that controls the phone, is updated. “Stock firmware” means that the firmware is unmodified: it’s the version of the operating system the phone’s manufacturer delivers.
HBoot
When you switch your phone, HBoot is loaded immediately and is mainly responsible for checking and initializing the hardware and starting the phone’s software. HBoot can also be used for flashing official software releases, as well as a few other things.
IMEI
The International Mobile Equipment Identity (IMEI) number is a number unique to every GSM, WCDMA, and iDEN mobile device, as well as some satellite devices. The IMEI number is used by the GSM network to identify valid devices and therefore can be used to stop a stolen device from accessing the network. For example, if a mobile device is stolen, the owner can call her or his network provider and instruct the provider to “ban” the device using its IMEI number. This renders the device useless, whether or not the device’s SIM is changed. The IMEI can be displayed by dialing *#06#. When a procedure asks you to take note of your IMEI, make sure to store it in a safe place.
Kernel
The kernel is the heart of any Linux-based operating system. A kernel acts as the brain of the system and controls how the hardware and software interact. It also decides which activity your Android device should carry out at any particular instant.
NANDroid backup
Most how-to guides include this and all developers demand you to take a few seconds before flashing their ROM to make a NANDroid backup. NANDroid is a set of tools and scripts that will enable users who have root on access their Android device to make full system backups, in case something goes wrong or you would like to out an experimental ROM or theme. NANDroid will backup (and restore) the /system, /data, /cache, and /boot partitions. This backup can be restored later, whenever you want. NANDroid backups are created from the Recovery Mode, often with ClockworkMod Recovery.
Opensource
This term refers to software whose source code anyone is allowed to view, modify, or redistribute. In the context of Android, opensource refers to the approach of the design, development, and distribution of software. This offers accessibility to a software’s source code for modification, improvement, bug-fixing, and security-enhancement. The CyanogenMod project is based on this principle.
Overclocking
This term is used when users want to increase the speed of their device’s CPU or GPU. Overclocking can be done by installing special kernels designed for this purpose.
Radio
The radio on your device handles communication and sending and receiving voice and data. Flashing new radio firmware can improve your radio hardware’s reception and bring other benefits. You can flash radio firmware through Recovery Mode, just like how you would a custom ROM.
Recovery
Recovery is the software on your phone that allows you to make backups, flash ROMs, and perform other system-level tasks. The stock recoveries don’t do much, but if you can install a custom recovery such as the extremely popular ClockworkMod Recovery, you’ll have increased control over your device. Other popular custom recoveries also include 4EXT Recovery and TWRP Recovery.
ROM
In the context of Android, a ROM (acronym for “read-only memory”) or, more specifically, a “custom ROM” is a modified version of Android. Developers may give it extra features, a different look, enhanced performance, and others. It may even be a version of Android that hasn’t even been officially released yet. Some of the popular custom ROMs you may have heard of are CyanogenMod, Android Open Kang Project (AOKP), and MIUI.
ROM Manager
ROM Manager is an immensely popular app for root users, allowing users to flash ClockworkMod Recovery, install ROMs from their SD card, perform backups, and even download new ROMs over-the-air.
Root
Root refers to “administrator” or “full” access to the device. That is, your device earns enhanced privileges and can grant you more control in customizing it. The term referring to the process of gaining such administrative access is “rooting.”
With root access, you can mount the device’s internal memory partition as read/write, allowing you to do various things like USB or Wi-Fi tethering and uninstalling annoying bloatware. You can also enjoy certain applications that require root access, overclocking or underclocking the CPU, and more.
Some phones are easier to root than others. Certain phones require a tedious process to gain root access while other phones and firmware have easy and painless one-click methods. You can get root access by either installing the Superuser application or by flashing a custom ROM that already has root access included. Check out our section dedicated solely for guides on how to root your Android device.
Rooting, unfortunately, also voids your warranty, so you must be extra careful with whatever you do to your phone after you’ve rooted it.
RUU and SBF
ROM Upgrade Utilities (RUU) and System Boot Files (SBF, for Motorola phones) are files direct from the manufacturer that change the software on your phone. RUU and SBF are how the manufacturers deliver over-the-air upgrades and modders often post leaked RUU and SBF files for flashing when updates haven’t been released yet. They can also be handy when you’re downgrading your phone, especially when a rooting method is not yet available for the newest software version. You can flash RUUs directly from your HTC device, but Motorola users will need a Windows program called RSD Lite to flash SBF files.
S-OFF
HTC phones use a security feature called Signature Verification in HBOOT, the bootloader on HTC devices. S-ON (security on) will read-lock your /system and /recovery partitions, blocking you from performing certain root-level actions directly from Android. By default, your phone has S-ON, which blocks you from flashing radio images. You can disable this security measure with S-OFF (security off), although you risk bricking your phone in the process but will allow you to flash new radios. Rooting doesn’t require S-OFF but many rooting tools give you S-OFF in addition to root access.
Superuser
Since Android is a Linux-based operating system, Linux has something called root access. By rooting your Android phone, you gain superuser access. The superuser, or root user, is a special user account for system administration. Superuser is also the name of an app, which lets you grant or deny superuser privileges to other apps.
Wipe
Usually refers to wiping data and cache partitions of the device. Usually before flashing a custom ROM, developers will instruct users to perform a wipe. Not performing a wipe may result in problems with the ROM’s performance.
Zipalign
You’re likely to see this term on the list of a custom ROM’s features. Zipalign is a tool that optimizes the way an Android app (APK) is packaged. The Android device can interact with an application more efficiently, and in doing so, has the potential to make the app and the entire Android system perform much faster. Zipaligned applications are launched more quickly, and they use less amounts of RAM.
Congratulations! You’re now equipped with some basic rooting and Android knowledge. Now you can dive into XDA Developers and feel less like a noob. Using your newly acquired knowledge, you can make better informed decisions when looking for a ROM to power your Android device with. Good luck and happy hunting!
Got a rooting term that’s bugging you? Let us know in the comments and we’ll try adding it to our dictionary.
References
Diablo67. (2012, January 27). Android terms, slang & definitions (Read this before posting questions!) [Msg 1]. Message posted to http://forum.xda-developers.com/showthread.php?t=1466228
Gordon, Whitson. (2012, February 21). The always up-to-date guide to rooting the most popular Android phones. Retrieved from http://lifehacker.com/5789397/the-always-up+to+date-guide-to-rooting-any-android-phone
paul-ac. (2011, July 22). [Android ROM dictionary] Newbe friendly [Msg 1]. Message posted to http://forum.xda-developers.com/showthread.php?t=1180477
PolicyWonk. (2011, December 10). Root terms defined – ROM, shell, S-ON, etc. [Msg 1]. Message posted to http://androidforums.com/precedent-all-things-root/461024-root-terms-defined-rom-shell-s-etc.html
Static. (2011, July 30). Rooting dictionary [Msg 1]. Message posted to http://www.theandroidsource.com/questions-answers-forum/536-rooting-dictionary.html
TechCredo. (2011, February 11). Android ROM and rooting dictionary: All the terms explained. Retrieved from http://www.techcredo.com/android/android-rom-and-rooting-dictionary-all-the-funny-words-explained
ALL THE CREDIT GOES TO THEM! THANK YOU GREAT PEOLE
EDIT: 125+ VIEWS AND NO COMMENTS? :O
unlocking fastboot
Hi everybody,
Good evening!
I recently came across a post about almost 50% android devices being vulnerable. Duo securities has made this finding using an app 'X-Ray'. They mention following 8 types of vulnerabilities: 1. Ashmem 2. Exploid 3. Gingerbreak 4. Levitator 5. Mempodroid 6. Wunderbar 7. Zergrush, and 8. Zimperlich. Please see this link for details: http://www.xray.io/#vulnerabilitieshttp://www.xray.io/#vulnerabilities
I downloaded the app 'X-Ray' and did a X-ray of my Desire Z. It came out clean for all but one vulnerability, Mempodroid. I've a rooted and S-off desire z and am using Jelly Bean rom (andromadus Test Build, .85). The website gives following details for the Mempodroid:
"Inherited from the upstream Linux kernel, a vulnerability in the /proc/pid/mem interface allows for writing arbitrary memory in the address space of a setuid process. It's about as complicated as it sounds, but attackers are smart like that."
I cross checked the same X-ray with a different rom, this time GenY (Sense 4 based ICS Rom). The results were similar. I don't know much about these vulnerabilities so thought of putting this question in this learned forum. Please clear my following doubts:
1. Is this Mempodroid is a serious problem?
2. Since this is surfacing in different roms, it should not be a ROM-specific issue but a device-specific one. Is there anything that I can do to remove this vulnerability.
3. What possible harm can it do to me?
Thanks,
dcpathak
HTC Desire Z (Rooted & S-Off)
Those sound like root methods, or at least the few I recognize. Basically it would be possible for a malicious app to have a root exploit built it so that it could get su permissions and potentially do some real damage. Even if your device was already rooted with Superuser installed the root exploit would bypass the superuser prompt since it doesn't need root to get su. As long as you download apps straight from Google Play and check the reviews first to make sure its legit, you'll be fine. These malicious apps are turning up on sites that distribute pirated software.
If you've used one of the root methods listed to root your device, don't worry. Any root method is technically a security vulnerability.
Thanks, I also remembered that some of these vulnerabilities are names of root methods, for instance, Gingerbreak, Zergrush etc. Further, I think Mempodroid may have something to do with the processor speed management (just a wild guess).
dcpathak
Just don't install apps from dubious sources and your fine.
While those loop holes could be exploited, you will need to have downloaded an app that does this in the first place.
I have a question, and if possible the answer should be as wide as possible to work on as many systems as possible. While I am not fully conversed in Android functions, syntax, and interfaces, I have been programing various computers since the mid 80's and have applied rooting/jailbreaking methods to several systems (if it functions like a computer, I want my Admin rights, much thanks to each and all authors of these). I know that someone somewhere out there may have asked and already found a solution to this very annoying problem.
Thanks to the Google's decision to increase security in the Android OSes (KitKat and higher) by removing write access to the SD Card (as I call it a very 'bonehead' and brute force decision), most of the older apps do not work properly anymore with the user added SD Cards and most are not being updated with some form of support (create a folder on SD Card). The solution for most persons is to root the system then either run an app that corrects the problem or install a new LRAM image (Lockable RAM: 'unlock' the RAM and overwrite its data with a new image then re-lock it. I don't like the term 'ROM' for this as it has been incorrectly used since the late 80's). I have found at least 2 file managers that say they have a (in-app) solution, but these solutions don't extend to all of your other apps (ie "Root Explorer" or "B1" solution doesn't help your File server/uTorrent/Photo Gallery app).
But what of the owners that for one reason or another can't root their system (unable to root, not authorized or allowed to root, etc.) but want/need to have write access to the user added cards (mainly because their internal storage is just too small)? Example, in my case my personal phone has several apps that require it to remain in an unrooted state for certain work related programs (security issues).
So here is my question:
Is it possible, on an unrooted and stock LRAM android device, using ADB to PULL the "platform.xml" file, add the line '<group gid=”media_rw” />' to it, then PUSH the edited file back to the android device?
I realize this may require entering (various name versions) Recovery or Update mode which is specific to each device (I think Samsung calls their ODIN). But I think the ADB commands and computer side instructions should be the same. So if it is possible, please list all ADB instructions (I know the text editor used will depend on the PC/MAC OS used).
Thank you one and all that give any advice or assistance.
Well it looks like there have been a lot of lookers since I first posted this but still no reply by anyone that knows Android OS inside and out. Most of you are probably thinking "tl:dr" to all of it.
I know there has to be a way to update/upgrade system files that doesn't require rooting or a way to find the manufacturer's or cellular vender's access path or password.