Temporary root via motochopper
Hi, I was experimenting on rooting without registering to HTCDev, testing many Linux kernel exploits. (I don't write the exploits myself, I compile exploits source codes and try to make it run on One SV kernel)
The exploit I found working is motochopper
, with some minor modifications, it could also be used to gain temporary root on One SV.
I tested this exploit on Taiwanese version of One SV, which is k2u and Android 4.1.2, kernel version is "3.4.10-gb590306 root@abm022 #1 SMP PREEMPT"
First download motochopper.zip from the link above, unzip it.
adb push pwn /data/local/tmp/
adb shell chmod 755 /data/local/tmp/pwn
adb push su /data/local/tmp/
adb push busybox /data/local/tmp/
Now, adb shell into it and execute /data/local/tmp/pwn , this would push the su executable to /system/xbin , then "su -" , you should now become root!
But due to HTC modified kernel, which has eMMC write protection, /system partition is unwritable. Some time later you would find the su executable you pushed to /system/xbin disappear, this would also happen on reboots. This means you would need to re-run this exploit every time you reboot!
The motochopper exploit is based on CVE-2013-2596
, which affects Linux kernel before 3.8.9 and some Android builds. Since the vulnerability came from Linux kernel, I predict it would also work on all versions of One SV's kernel 3.4.10, perhaps even all HTC 3.4.10 kernels.
With temporary root, you could read & write memory (dump kernel image), dump any partition (but some of them is readonly as above mentioned), etc.
I'm still thinking how to get permanent root from this point, post here if you have any ideas!
ps. I have less then 10 posts so I can't post to development boards. But this post should go there I guess.