View Full Version : Behind The Scene : Android Rooting

Anant Shrivastava
08-17-2011, 03:59 PM
We all hear a lot of stuff about android rooting techniques and how a phone could be rooted. this articles a a small tribute to the rooting work that is going on.

Note : please don't ask me how to root a specific model of android handset.

Rooting what exactly it is?

Android Devices are consumer devices and as such stuff's like Terminal client, super user access (su Binary), busybox are not provided by default. What this effectively means is a person has no direct means of becoming a root. However due to the openness of Android people have submitted or create a large number of applications which can use this super user mode to do wonders.

now the big question is how to gain root access, this is where rooting techniques come into picture.

Rooting is a simple process of gaining a temporary root access by exploiting a know vulnerability in the android system and then install su binary and optionally superuser apk (which is a kind of permission manager). we find large number of applications running around such as gingerbreak, rageinthecage, superoneclickroot etc all these application employe one or the other exploit's to gain root access.

We also find large number of images claiming to be pre rooted when they say the are pre rooted it only means that they have su binary and superuserapk pre installed.

Later i will add analysis of how these rooting techniques work, such as psneuter rageinthecage or gingerbreak.

Anant Shrivastava
08-17-2011, 04:00 PM
===== reserved for analysis ==========

08-21-2011, 06:17 AM
Rooting is a simple process of gaining a temporary root excess by exploiting a know vulnerability in the android system.

str_replace("excess", "access" :D)

Anant Shrivastava
08-21-2011, 10:55 AM
Rooting is a simple process of gaining a temporary root excess by exploiting a know vulnerability in the android system.

str_replace("excess", "access" :D)

thanks for pointing it out .... post updated....

Everyone give me a day or two i will be writing remaining content on it as soon as i get some spare time out....

Anant Shrivastava
10-27-2011, 09:52 AM
Sorry for not posting more on this.

no excuses i am just acting plain lazy.

In the mean time : Latest exploit for 2.2 and 2.3
Revolutionary - zergRush local root 2.2/2.3 [22-10: Samsung/SE update] - xda-developers (http://forum.xda-developers.com/showthread.php?t=1296916)

source code : https://github.com/revolutionary/zergRush/blob/master/zergRush.c

Anant Shrivastava
11-08-2011, 10:25 PM
More Info on latest ZergRush Exploit, as per the latest request for CVE states.
copying the content of mail for reference.

A local user with group "log" on Android may send a malformed message to vold ("volume daemon"), causing a stack buffer overflow. This has been demonstrated to be exploitable to escalate privileges to root on all Froyo (2.2.x) and Gingerbread (2.4.x) devices via freeing an arbitrary heap object and triggering a use-after-free condition [1]. It appears the bug was silently patched in Honeycomb (3.x), but note that since Honeycomb is not open source, it does not fall within the scope of this list. Bug discovered and exploited by the Revolutionary team [2].

[1] https://github.com/revolutionary/zergRush/blob/master/zergRush.c
[2] Revolutionary (http://revolutionary.io/)

CVE hass been assiged as CVE-2011-4123

This exploit as of now is working on largest device base currently available.

Confirmed to be working on the following devices:

Sony Xperia X10 (GB firmware)
Sony Xperia Arc (.42 firmware)
Sony Xperia Arc S
Sony Xperia Play [R800i/R800x]
Sony Xperia Ray
Sony Xperia Neo
Sony Xperia Mini
Sony Xperia Mini Pro
Sony Xperia Pro
Sony Xperia Active
NTT Docomo Xperia ARCO SO-02C
Samsung Galaxy S2 [GT-9100/GT-9100P]
Samsung Galaxy S II for T-Mobile (SGH-T989)
Samsung Galaxy S II for AT&T (SGH-I777), Skyrocket (SGH-i727)
Samsung Galaxy S [i9000B] & [i9000 2.3.3 (PDA I9000BOJV8, Phone I9000XXJVO, CSC I9000GDTMJV7) and german T-Mobile branding]
Samsung Galaxy Mini GT-S5570
Samsung Galaxy W [i8150]
Samsung Galaxy Y
Samsung Galaxy Tab [P1000] (2.3.3 firmware), [P1000N]
Samsung Galaxy Note [N7000]
Samsung Galaxy Player YP-G70 2.3.5 (GINGERBREAD.XXKPF)
Samsung Nexus S [i9023] (2.3.6)
Samsung Nexus S 4G 2.3.7
Samsung Exhibit (SGH-T759)
Samsung Exhibit 4G (SGH-T759) (2.3.3) Build UVKE8
Motorola Milestone 3 [ME863 HK]
Motorola XT860, Bell XT860
Motorola Defy+
Motorola Droid X sys ver 4.5.605 w/ gingerbread
Motorola Droid X2 (2.3.4) Sys ver 1.3.380.MB870.Verizon.en.US Build 4.5.1A-DTN-150-30
Motorola XT883 (China Telecom)
Motorola XT862 (Verizon Droid3)
Nexus One (2.3.6 stock)

Anant Shrivastava
02-10-2012, 02:49 PM
excellent work by Dan Rosenberg with Sony S tablet.

detailed writeup of his exploit.

Security Research by Dan Rosenberg (http://vulnfactory.org/blog/2012/02/08/rooting-the-sony-tablet-s/)

you can find some more quality articles on other device rooting also.

07-05-2012, 03:54 PM
Things that require root access on a typical Linux system mounting and unmounting file systems, starting your favorite SSH or HTTP or DHCP or DNS or proxy servers, killing system processes, chroot-ing, etc., — require root access on Android as well.

SMS (http://inforu.co.il/)