[APP][2.3+][ROOT][SUPERUSER] AnJaRoot - Android Java Root | 100% compatible with Xposed

[APP][2.3+][ROOT][SUPERUSER] AnJaRoot - Android Java Root | 100% compatible with Xposed

AnJaRoot stands for Android Java Root, and it's just that - a replacement for the previous generation of supersuer access on Android. The days of calling su to execute scripts in a limited environment are over, developers are now able to perform previously restricted actions directly from Java!

While I've tested AnJaRoot multiple times for the last weeks on emulators and real devices (4.3 and 2.3.7) I still consider it to be in beta phase. Please install it only if you are able to recover your device from possible bootloops.

AnJaRoot 1.1.0 is now 100% compatible to the Xposed Framework!

To get the latest version of AnJaRoot, go to the downloads tab or from the project homepage located at http://www.anjaroot.net/.

Installation
The prefered installation method is via sideloading/installing from sdcard the AnJaRoot Installer update.zip. The installer will automatch your device arch (armeabi, mips and x86 are supported right now). If the installer reports an error, you can find the installation logs on /cache. Please upload them to this thread or fill a bugreport so I can fix the problem.

AnJaRoot is also able to install itself via recovery. I've tested on the CWM recovery images, but it should work everywhere as no special tools are used except a shell in.

Uninstall/Failure Recovery
AnJaRoot is still new, you might need to uninstall it or recover from bootloops. To uninstall AnJaRoot use the provided uninstall update.zip, it will clean AnJaRoot from your device and should also recover you from bootloops.

Current Status
Please also note that AnJaRoot is currently not that interesting for endusers as no app out there has support for it. I will support developers with getting their apps running with AnJaRoot. Once you have adopted your app I will also list them here.

Adding support to your app
In order to use AnJaRoot in your app you have to utilize the provided AnJaRoot Library. Everything which should be needed for you is documented via JavaDoc comments (Online Version). Fir a reference implementation refer to the source of AnJaRoot Tester.

Developers
The project homepage lists some resources on how to integrate your AnJaRoot into your app. Please don't use this thread for questions regarding the Library, use this thread instead. It also shows how to get started hacking.

ROM Developers
AnJaRoot is currently not as easy as I want it to be integrateable. It's lacking a proper build system for ROMs and multiple changes have to be performed to change the package names (just for example). I will add support for it in the feature. Meanwhile you may just preinstall the lastest (signed by me) APK.

Key features:

• Supports Android >=2.3 (Gingerbread, API level 9) on arm, x86 and mips
• Developers have a nice and robust library to utilize AnJaRoot to unlock the full potential of their ideas.
• Need to run native code as root? AnJaRoot can grant root also to subprocesses without the use of su!
• Simple to install: Install via app or directly flash/sideload the update.zip (which is useable on all supported systems) from http://www.anjaroot.net/
• Developers don't need to write hard to debug Shellscripts in order to issue commands as root, it was never easier to make use of superuser permissions.
• Simple management UX for users
• It's fully open source - AnJaRoot itself is GPLv3 licensed while the Library is published under the Apache License.

Future features:

• Android 4.x multi user support
• Full replacement for the previous SuperUser tools
• Major UX overhaul (more options and a real design)
• Support for custom ROM integration
• Compatibility with the XPosed Framework

Disclaimer
While I've developed it and made sure that your device doesn't get damaged, I can't guarantee that nothing bad will happen. It's your responsability about what you do to your device. Please be carefull!

XDA:DevDB Information
AnJaRoot, a App for the No Device

Contributors
Luminger

Version Information
Status: Stable
Current Beta Version: 1.1.0
Beta Release Date: 2013-11-02

Created 2013-10-19
Last Updated 2013-11-05

Xeleth said:

I'm eager but skill-wise not experienced enough to figure out the way this "exploits" works. I've taken a look at both documentation
and code, and couldn't really understand what was going on (even though my main "field of study" is Java). Could you please summarize
the method used to gain root access via this method? It would be very interesting to know

Click to expand...

Click to collapse

Sure I can tell you about the inner workings of this "exploit". I'll split it into 4 parts. A general part about "what it does and why it works", second is the current LD_PRELOAD implementation, third I'll talk a little about the inner workings of the 1.1.0 release (which will come soon btw, had no time the last days to work on it sadly) and last about the library.

The whole thing bases on the linux capabilities and the inner workings about the android process spawning model. On Linux root is most of the times misunderstood (at least somehow). People think the mighty powers of root derive from the fact that the user id and group id is zero, but this doesn't grant root any special abilities. The real power from root comes from the capabilities granted to this user.

The kernel knows a lot of them, they are listed in man 7 capabilities. Most of them are not that interesting for users, but CAP_NET_ADMIN and CAP_FOWNER are for example what people have in mind when it comes to root.

Capabilities are normally only granted to root, but here come the different capabilitie sets into the game. If you take a look at man 2 capset, there are 3 of them. 'effective' is the set which is used when it comes to checking if the process has those capabilities. A process may drop them at any point in time by setting them to zero. A process is also able to "regain" all of the capabilities from the 'permitted' set. The 'inheritable' set is the set which will be inherited by a child of this thread and it's not really relevant in our case.

If you want to know which capabilities a process has take a look into /proc/<pid>/status, it lists all 3 capability sets.

Okay, we have talked about the capabilities and why they really are the power of root. Next is the Android process spawning. There are some resources on the net, I will just talk about the relevant parts here.

The zygote is spawned very early in the boot process of any Android system and preloads a huge pile of resources and libraries which are used by all parts of the later system. After this has finished, the zygote is utilized by the system to spawn of new app processes (hence the name zygote, it's the parent of all app processes). This is done by forking a new child (all the loaded resources will be shared with it in a copy on write manner to save RAM) which is in the begining nothing more than a direct clone of the zygote. A crutial thing I forgot to mention till now: zygote runs as root and has all/nearly all capabilities available on a system. After the fork has taken place the zygote will begin to specialize its new child (drop root, drop capabilities, setup the app) which will form the new app process.

And here comes the trick I used with AnJaRoot:
When the zygote specializes the child it will drop its capabilities from 0xFFFFFFFF (everything) to 0x00000000 (none). This drop is intercepted and will leave the child with a 'permitted' capability set of 0xFFFFFFFF and 'effective' 0x00000000 - as I described above those can be regained later, the child will remain 'root' this way.

The intercept is realized with LD_PRELOAD. You can read on google about it - it forces the dynamic linker to load a library into the process before any other dynamic library will be loaded. This way a dynamic symbol resolve will at first try to find the asked symbol from this library, then it will proceed to other libraries (libc is queried after LD_PRELOADed libraries). The AnJaRoot Library provides a replacement for capset (which is called by the zygote to drop capabilities). This replacement will look into the AnJaRoot database and does the capabilities drop if the process is not a AnJaRoot enabled process or it will not drop the capabilities and signal a successfull capability drop to the zygote. This way the library can later aid the process to regain capabilities.

The new AnJaRoot 1.1.0 release adds compatibility to Xposed which was a problem in the 1.0.0 release. It does so by utilitzing ptrace to basicaly "debug" the zygote (it's the main debug interface, used by gdb for example, on Linux). It does't need to change the app_process this way (which is the binary which spawns the zygote initialy) but is completely transparent to Xposed.

The AnJaRoot Library adds the capset, capget, setresuid, getresuid, setresgid, getresgid calls to the Android Java land (those functions all have manual pages, you can look them up on the net). When you request capabilities via the Library it will utilize capset to set the 'effective' capabilities set to the previously preserved 'permitted' capabilities and also set your uid/gid to 0. And now the process is magicaly root again.

This way nobody ever again has to use the su binary to gain root via setuid to call some shellscripts. You can now use the Android Java API to fiddle arround with the filesystem, sockets and even Android services (you could claim to be a system process and do otherwise not permitted action to the system).

Hope this helps, if anything is not clear please feel free to ask =)

Xeleth said:

Thank you for such a great and informative reply, this was truly an experience to read through. You explained everything so well that the only question I have in mind has to be: how did you come along such a creative approach to this?

Click to expand...

Click to collapse

By accident, as it usualy happens (well, it may have helped a bit that I'm a Linux System Engineer also )

I had looked up the Android startup procedure years ago, latetly I looked it up again - I was curious that there must be a way to grant superuser rights to Androids Java processes (I knew a method was there, I just couldn't figure it out).

After month I stumbled upon Xposed, I was searching for a method to enable NFC tag reading while the screen is off. I started to remember my research from month ago while I read the Source of Xposed and so AnJaRoot was born (well, it took me another 2 weeks to figure out how exactly this would work - this method is far away from trivial...).

It was a mixture of "I'm used to problems which other people mark as 'unsolvable'" and luck =)

Reserved

Apps which uitilize AnJaRoot

• AnJaRoot Tester

Just wanted to give a short status update: I've prepared a PoC over the last week/this weekend which does work on armeabi/mips/x86 and uses ptrace to do the AnJaRoot job on (at least) Android 2.3.3, Android 4.1.2 (this was a little bit more interesting as expected...) and Android 4.2.2.

I'm now wrapping it all up into a new AnJaRoot and AnJaRoot Library release. The new 1.1.0 version of AnJaRoot will work with the AnJaRoot Library 1.0.0, also the old Library will work with the new AnJaRoot 1.1.0 app.

So stay tuned, it will come out within the next days after I've developed the missing bits and pieces, tested it again and wrap it all up into the 1.1.0 release

Edit: If anyone is interested, development of the ptrace stuff lives in the feature/ptrace-impl branches on github.