2.1 RUU root vectors

---

So the way I see it, there are a couple vectors from which we can attempt to root the official 2.1 RUU:

1. SUID privilege escalation - this is /possible/ through many of the suid binaries in /system/bin (anyone know what skyagent is, and how to use it?)

2. TCP/IP ports 9734, 16650, 2479, 9000 - I don't know what these are for. If someone does, please let me know.

3. mkfs.ext2 the sdcard (except that noexec is set when card is mounted)

4. Some other way involving fastboot erase/restore???

If anyone else thinks of anything, I'm all ears - until then, I'll be playing with it

What I've been playing with so far

---

pppd, wifitools, reboot and ip are setuid root.

skyagent is setuid/setgid root (REALLY, if anyone knows ANYTHING about this, now is the time to speak up).

pppd can execute scripts through pppd connect...

so, I've done this so far...

to make /sqlite_stmt_journals/callit.sh:

Code:

echo "exec /system/bin/pppd -detach modem crtscts \\" > /sqlite_stmt_journals/callit.sh
echo "/dev/tty 460800 noipdefault defaultroute \\" >> /sqlite_stmt_journals/callit.sh
echo "noauth name fakeUsername connect \'/sqlite_stmt_journals/dialer\'" >> /sqlite_stmt_journals/callit.sh

to make /sqlite_stmt_journals/dialer:

Code:

echo "exec /sqlite_stmt_journals/su - /system/bin/sh" > /sqlite_stmt_journals/dialer

and then I drop su into /sqlite_stmt_journals.

After that, I chmod everything 0755 and chmod su 4755.

tried to have dialer chown root su, but that doesn't seem to work.

Any suggestions?

I don't know what your talking about but I know there is an official section in development for rooting the hero

ah thank you!