Rooting RC30 - need some questions answered about adbd and debuggerd

---

If someone has a stock RC30 installed, can you tell me what user id runs adbd and debuggerd?
To be able to debug processes and take screenshots, those processes must running be with some sort of privileged permissions and may be exploitable...

debuggerd runs as root, adbd runs as shell (that's on my official RC30 phone)

Hmm, in that case, it may actually be possible to take a screenshot without root by writing an ADB client in Java to connect to the adb daemon. And, shell also has access to the surface flinger, so it may be possible to do autorotation as well.

Anyways, I'll take a look at debuggerd and see if there anything interesting.

I did find some funny code in debuggerd.c a minute ago. Watch your phone's LED and type this into a root shell:

echo 255 > /sys/class/leds/red/brightness

Yup.

http://forum.xda-developers.com/show...ht#post2905504

Holy ****!!! There may be a root hole in installd:

installd runs as root; it is the daemon that allows you to do the following commands related to installing and uninstalling APKs and managing their DEX files.

Code:

    { "ping",                 0, do_ping },
    { "install",              3, do_install },
    { "dexopt",               3, do_dexopt },
    { "movedex",              2, do_move_dex },
    { "rmdex",                1, do_rm_dex },
    { "remove",               1, do_remove },
    { "freecache",            1, do_free_cache },
    { "rmcache",              1, do_rm_cache },
    { "protect",              2, do_protect },
    { "getsize",              3, do_get_size },
    { "rmuserdata",           1, do_rm_user_data },

The install daemon reads these commands from a socket and then executes them.
The interesting command is the "install" command, which maps to the following function:

Code:

static int do_install(char **arg, char reply[REPLY_MAX])
{
    return install(arg[0], atoi(arg[1]), atoi(arg[2])); /* pkgname, uid, gid */
}


int install(const char *pkgname, uid_t uid, gid_t gid)
{
    char pkgdir[PKG_PATH_MAX];
    char libdir[PKG_PATH_MAX];

    if ((uid < AID_SYSTEM) || (gid < AID_SYSTEM)) {
        LOGE("invalid uid/gid: %d %d\n", uid, gid);
        return -1;
        
    }
    if (create_pkg_path(pkgdir, PKG_DIR_PREFIX, pkgname, PKG_DIR_POSTFIX))
        return -1;
    if (create_pkg_path(libdir, PKG_LIB_PREFIX, pkgname, PKG_LIB_POSTFIX))
        return -1;

    if (mkdir(pkgdir, 0755) < 0) {
        LOGE("cannot create dir '%s': %s\n", pkgdir, strerror(errno));
        return -errno;
    }
    if (chown(pkgdir, uid, gid) < 0) {
        LOGE("cannot chown dir '%s': %s\n", pkgdir, strerror(errno));
        unlink(pkgdir);
        return -errno;
    }
    if (mkdir(libdir, 0755) < 0) {
        LOGE("cannot create dir '%s': %s\n", libdir, strerror(errno));
        unlink(pkgdir);
        return -errno;
    }
    if (chown(libdir, AID_SYSTEM, AID_SYSTEM) < 0) {
        LOGE("cannot chown dir '%s': %s\n", libdir, strerror(errno));
        unlink(libdir);
        unlink(pkgdir);
        return -errno;
    }
    return 0;
}

The 2nd and 3rd arguments let you specify an ARBITRARY uid that owns that package. I think we can either rebuild adb to always pass in uid 0 and gid 0 (this may not be possible; adb may not have anything to do with the uid/gid selected). Or maybe connect to the socket from an application on the phone, and then marshall the command manually. That would get an APK onto the phone running as root.
Gonna give this a shot right now.

Look at the beginning of the function.

Code:

if ((uid < AID_SYSTEM) || (gid < AID_SYSTEM)) {
        LOGE("invalid uid/gid: %d %d\n", uid, gid);
        return -1;

That will disallow installing something with root access. AID_SYSTEM is 1000, the root uid is 0 of course.

But if we could get an app installed as the system user.. that may open up some more possibilities.

Also, I believe the socket that installd listens on is protected. If I remember correctly, it is restricted to the system user.

Quote:

Originally Posted by JesusFreke

Look at the beginning of the function.

Code:

if ((uid < AID_SYSTEM) || (gid < AID_SYSTEM)) {
        LOGE("invalid uid/gid: %d %d\n", uid, gid);
        return -1;

That will disallow installing something with root access. AID_SYSTEM is 1000, the root uid is 0 of course.

But if we could get an app installed as the system user.. that may open up some more possibilities.

Also, I believe the socket that installd listens on is protected. If I remember correctly, it is restricted to the system user.

Ahh goddamnit.