5,605,187 Members 39,499 Now Online
XDA Developers Android and Mobile Development Forum

[Root/Write Protection Bypass] MotoX (no unlock needed)

Tip us?
 
jcase
Old
(Last edited by jcase; 3rd November 2013 at 10:44 PM.)
#1  
jcase's Avatar
Forum Moderator / Senior Recognized Developer - Taco Vendor - OP
Thanks Meter 5506
Posts: 3,143
Join Date: Feb 2010
Location: Sequim WA

 
DONATE TO ME
Default [Root/Write Protection Bypass] MotoX (no unlock needed)

The latest OTAs patch this exploit

The "Camera patch" patches the vulnerability we use to gain system user, and pwnmymoto will no longer work on devices with this update.


Warning:
I will not be responsible for damage to your device(s) by using this exploit. Antivirus software and Play services will likely detect this as potentially
malicious. It is an exploit, deal with it or don't use it. Do not mirror these applications without my permission!


Change Log:
1.4.3 detects failed su installation (0 size su) and allows reinstallation
1.4.1 adds reliability, and fixes issues for users when improper permissions are applied to su (Preventing updates).



PwnMyMoto is a replacement for my previously released MotoRoot. PwnMyMoto exploits three vulnerabilities, to gain root access, then to gain write to system. This is a traditional root, and doesn't use any 'hackery' to maintain su access unlike MotoRoot.

First we use bug 9695860 (aka second masterkey) to gain system user, then it uses a symlink attack to gain root access. After gaining root we exploit a flaw in the bootloader, allowing us to bypass the write protection applied to system. In the process we remove stock recovery, so OTAs will not be a worry.

Install PwnMyMoto by running:
Quote:
adb install -r PwnMyMoto-<version and model go here>.apk
Then run PwnMyMoto, depending on the current root status of your phone it will reboot 2 or 3 times, after the last reboot it will uninstall it self and su will be installed on the actual system partition. Please install SuperSu from the market after this step is done.

We have two (ok more but were not going into that) boot modes. First is normal, which boots regular Android, and in this case boots with system write protected. Second is recovery mode, normally it boots recovery without write protection. Our exploit will hijack recovery bootmode and boot Android without write protection.

After running this exploit, if you boot normally /system will be write protected. If you boot to "recovery", Android will boot without write protection. If you wish to edit system, you must boot into "recovery" to do so, any changes made will stick and will work in either bootmode. My suggestion is to make your changes in "recovery" and run the device day to day in normal mode, until we are certain "recovery" mode will be 100% stable for day to day use.

The exploit will uninstall itself after successful exploitation.

To see if write protection is applied, you can run:
Quote:
adb shell getprop ro.boot.write_protect
If it returns '1' then write protection is applied to /system, if it returns '0' then no write protection has been applied.

In the future we will have a replacement recovery, but at this time it is still in development. Enjoy.
I'm taking a break of an undetermined length. Please don't contact me about exploits

Something important? jcase@cunninglogic.com
Like Android security topics? Join our G+ community -> https://plus.google.com/communities/...07618051049043
My Bitcoin address : 1Newifz6yETTmbziCsZZstmHHPH6ejNr75
The Following 131 Users Say Thank You to jcase For This Useful Post: [ Click to Expand ]
 
Indirect
Old
#2  
Recognized Contributor
Thanks Meter 2940
Posts: 2,317
Join Date: Mar 2011
Location: Florida

 
DONATE TO ME
Figure I should add that this does not allow usage of custom kernels at this time because everything is still signature checked.



My Google Plus account
My Twitter
Shiftless evo shift developer
Nook Tablet developer-found root (here)

Quote:
Without developers this place would not be called XDA-Developers but something else, e.g Mobile Phone User Support Services For Ungrateful Nerds.
Developed on the following devices: Evo View, Nook Tablet, Evo Shift, Nexus S 4G (private), Evo 4G (private), Mytouch 4g Slide, Evo LTE, HTC One (In Progress), Moto X
The Following 9 Users Say Thank You to Indirect For This Useful Post: [ Click to Expand ]
 
TeeX2.0
Old
#3  
TeeX2.0's Avatar
Senior Member
Thanks Meter 91
Posts: 317
Join Date: Jul 2011
"Thank You" just doesn't quite cover it. But THANK YOU!! for making all of our Moto X's more awesome!


donation is forthcoming, good sir.
 
_MetalHead_
Old
#4  
_MetalHead_'s Avatar
Senior Member
Thanks Meter 1987
Posts: 5,050
Join Date: Jun 2010
Location: Chicagoland
If I rooted previously with MotoRoot, should I unroot and uninstall that app first before running this one?
\m/(-_-)\m/
 
htowngator
Old
#5  
htowngator's Avatar
Senior Member
Thanks Meter 54
Posts: 625
Join Date: Mar 2008
So to apply entitlement hack we'd have to write in recovery mode then reboot into normal?

Sent from my HTC One using Tapatalk 4
 
Dark9781
Old
#6  
Dark9781's Avatar
Senior Member
Thanks Meter 210
Posts: 659
Join Date: Apr 2009
Quote:
Originally Posted by _MetalHead_ View Post
If I rooted previously with MotoRoot, should I unroot and uninstall that app first before running this one?
I didn't and it worked fine. It will also remove the app originally used to root.
Need Cloud storage? Try dropbox today. Just click on the link below to get started.
Dropbox
--------------------------------------------------------------
Can you see my memories?
The Following User Says Thank You to Dark9781 For This Useful Post: [ Click to Expand ]
 
jonathanphx1
Old
#7  
jonathanphx1's Avatar
Senior Member
Thanks Meter 940
Posts: 1,203
Join Date: Apr 2010

 
DONATE TO ME
Your the man jcase, thanks a bunch I still remember back to the Eris days when you Rick Rolled a bunch of us on a ROM you put out. Lol thanks again for this exploit.

jonathanphx1



Current Phone: Verizon Galaxy SIII 32gig-Blue Rooted/Unlocked Running CleanRom Seven with My DarkHorse Rises v3.3

My Dark Horse Verizon Galaxy SIII Theme: http://forum.xda-developers.com/show....php?t=2365611
 
madquack
Old
#8  
madquack's Avatar
Senior Member
Thanks Meter 375
Posts: 669
Join Date: May 2010
I am in no way trying to reverse engineer your tool, as I don't have a fraction of the knowledge required to do so, however, I am becoming increasingly ripping apart things like this similar to Dan Rosenberg numerous tools. All I've got to say is dex2jar sucks donkey dick for helping me understand these things on a lower level!

The beer is flowing I hope everyone has a good night!

:beer:
 
Rask40
Old
(Last edited by Rask40; 15th September 2013 at 02:11 AM.)
#9  
Rask40's Avatar
Member
Thanks Meter 7
Posts: 78
Join Date: Aug 2013
So for my stupid question of the day - how does one boot into recovery on this phone? Is it Power-Up or some other combination? Presuming I need to be in "recovery" to get xposed to stick.

Answered my own question. Fastboot is Power-Down.
 
jcase
Old
#10  
jcase's Avatar
Forum Moderator / Senior Recognized Developer - Taco Vendor - OP
Thanks Meter 5506
Posts: 3,143
Join Date: Feb 2010
Location: Sequim WA

 
DONATE TO ME
Quote:
Originally Posted by du bist krank View Post
I am in no way trying to reverse engineer your tool, as I don't have a fraction of the knowledge required to do so, however, I am becoming increasingly ripping apart things like this similar to Dan Rosenberg numerous tools. All I've got to say is dex2jar sucks donkey dick for helping me understand these things on a lower level!

The beer is flowing I hope everyone has a good night!

:beer:
No obfuscation was done to the Dex, not hiding anything. Try smali

Sent from my GT-I9505G using XDA Premium 4 mobile app
I'm taking a break of an undetermined length. Please don't contact me about exploits

Something important? jcase@cunninglogic.com
Like Android security topics? Join our G+ community -> https://plus.google.com/communities/...07618051049043
My Bitcoin address : 1Newifz6yETTmbziCsZZstmHHPH6ejNr75

The Following 4 Users Say Thank You to jcase For This Useful Post: [ Click to Expand ]
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes