Can this Root Droid 3?

Status
Not open for further replies.
Search This thread

pplude

Senior Member
Jul 27, 2011
103
10
32
Southbury, CT
I'll. Confirm that webtop does exist. That pulse-audio thing looks promising. That would mean it can be invoked anytime (because I don't believe that the D3, or any Linux for that matter still uses ALSA by default)

Sent from my DROID3 using XDA App
 

pplude

Senior Member
Jul 27, 2011
103
10
32
Southbury, CT
We should also look into zygote and how that works a bit (the application root runs to spawn all these sandboxes).

Sent from my DROID3 using XDA App
 
  • Like
Reactions: kerryrey

elkay

Senior Member
Apr 6, 2005
693
285
github.com
Well if all it needs is HDMI and not a dock, I have an HDMI cable if you need me to try anything. I'd prefer something that doesn't brick my phone if you can avoid that. ;-)
 

dotson817

Senior Member
Mar 28, 2011
461
52
This thread is getting exciting! Lol I am checking constantly, thanks a lot to all who are doing testing and searching for a possibility for root! I think I can speak for a lot of people following the thread, thanks for your efforts!

Sent from my DROID3 using XDA Premium App
 

pplude

Senior Member
Jul 27, 2011
103
10
32
Southbury, CT
i never chose an output for hdmi probably, and one was the hardware wrapper. I chose to mirror and a new process als_wq spawned.

Set to Media,a new root process spawns: HDMIWORK

Looks a little dev to me.
 
Last edited:

effinay

Member
Feb 17, 2010
32
2
Southwest Ohio
THANK YOU!!!!

I've been checking in on this thread for several days now and just wanted to give a huge THANK YOU to everyone who is working on rooting the D3!

I'm almost ready to renew my contract and am looking for an upgrade for my trusty rooted Eris and the D3 seems right up my alley.

KEEP UP THE GOOD WORK!!!!! Communities like these are the reason I'm sticking with Android. :D
 

psouza4

Inactive Recognized Developer
Feb 26, 2009
746
857
Meridian, ID
www.PeterSouza.com
I've been checking in on this thread for several days now and just wanted to give a huge THANK YOU to everyone who is working on rooting the D3!

I'm almost ready to renew my contract and am looking for an upgrade for my trusty rooted Eris and the D3 seems right up my alley.

KEEP UP THE GOOD WORK!!!!! Communities like these are the reason I'm sticking with Android. :D
I agree wholeheartedly. Hundreds others are probably lurking and anxiously waiting too -- we all greatly appreciate any and all efforts here. :) Go team!
 

PWn3R

Senior Member
Dec 10, 2010
905
985
Flagstaff
Nexus 7
Motorola Droid X
And in true form I keep poking around. adb exists, access is denied.

I loved "/system/bin/fsck_msdos" in /system/bin/vold :)
-------------------------------------------
Still going, I'll edit this post if I find anythign interesting here
-----------------------------
hey, I fount the encryption method in vold

"/dev/block/dm-%u crypt twofish %s 0 %s 0"
-----------------------------------------------
output of an export probe:
Code:
ANDROID_ASSETS
ANDROID_BOOTLOGO
ANDROID_DATA
ANDROID_PROPERTY_WORKSPACE
ANDROID_ROOT
ASEC_MOUNTPOINT
BOOTCLASSPATH
EXTERNAL_ALT_STORAGE
EXTERNAL_STORAGE
HOSTNAME
LD_LIBRARY_PATH
LOOP_MOUNTPOINT
PATH
PWD
---------------------------------
also, /tmp has write permissions. can someone PLEASE PLEASE PLEASE just copy a su binary from an X2 or Atrix?


Can we use the set to set the root directory to another location (say the SDCARD with a copy of the root FS long enough to execute an SU binary and then copy the required files into the real system directory running as root?
 

eww245

Senior Member
Aug 19, 2008
494
77
Throop
Can we use the set to set the root directory to another location (say the SDCARD with a copy of the root FS long enough to execute an SU binary and then copy the required files into the real system directory running as root?

We would probably need chroot for this. Also the sdcard it mounted with noexec.
 

pplude

Senior Member
Jul 27, 2011
103
10
32
Southbury, CT
Im thinking the /temp folder is probably our best bet for excecuting an exploit, as it has 777 permissions

Sent from my DROID3 using XDA App
 

nerdslogic

Senior Member
Nov 13, 2010
424
65
Oregon
Newb question but why can't we sign a file as a "vender" and flash it in the vender flash mode? Or is that a dumb question?

Sent from my DROID3 using Tapatalk
 

Adam.h.ogle

Senior Member
Jul 4, 2010
164
68
but if we tell it to mount the sdcard as root in / wouldn't it use the standard permissions for the / directory instead of those already assigned to sdcard?

You need root in order to do that.

I believe it is safe to say that there are no legitimate ways to load and elevate an executable. This leaves exploits. I looked through most of the exploits on cvedetails.com for the 2.6.35.7 kernel and none of them look promising as they either require modules that we don't have loaded, or they've been out long enough to have already been patched by Motorola when they built the kernel. The search continues...
 

redddog

Senior Member
Jul 27, 2011
90
16
If I were a Moto/dev, I would love to be watching you guys zero in on this. You guys are geniouses.
 

sparkyman216

Senior Member
Nov 4, 2010
155
7
What about the dbug file sits on sdcardex in transmits to Motorola. It called dbug.

Sent from my DROID3 using Tapatalk
 
Status
Not open for further replies.

Top Liked Posts

  • There are no posts matching your filters.
  • 7
    I'm getting so antsy for root :p
    TeamBlackHat, where are you...

    Sent from my DROID3 using XDA Premium App

    Just want to make it clear that TBH has a lot of resources and experience with Motorola devices and we understand the firmware and access tool very well. We also have engineering devices for many older models, which allows us to play around safely and to use clever tricks to root successive builds for phones that already have a rooted build to start from.

    We do not have any special skills for gaining root on a new device without an exploit, despite the fact that we understand how the process works.

    We will be here to help however we can and hope some of our experience will be useful, but don't want to foster any false expectations. We have some leads for the SBF file that so far have not produced results, unfortunately.

    We will keep trying...

    There are a lot of very sharp folks working on this and that is what it's going to take to succeed...there is no magic bullet.
    3
    Here's all our mounts, not that it'll help but may give some indications of where to look...



    rootfs / rootfs ro,relatime 0 0

    tmpfs /dev tmpfs rw,relatime,mode=755 0 0

    devpts /dev/pts devpts rw,relatime,mode=600 0 0

    proc /proc proc rw,relatime 0 0

    sysfs /sys sysfs rw,relatime 0 0

    none /acct cgroup rw,relatime,cpuacct 0 0

    tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0

    tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0

    none /dev/cpuctl cgroup rw,relatime,cpu 0 0

    /dev/block/system /system ext3 ro,noatime,nodiratime,barrier=1,data=ordered 0 0

    /dev/block/userdata /data ext3 rw,nosuid,nodev,noatime,nodiratime,errors=continue,barrier=1,data=ordered 0 0

    /dev/block/cache /cache ext3 rw,nosuid,nodev,noatime,nodiratime,errors=continue,barrier=1,data=ordered 0 0

    tmpfs /data/tmp tmpfs rw,relatime,size=2048k 0 0

    /dev/block/pds /pds ext3 rw,nosuid,nodev,noatime,nodiratime,errors=continue,barrier=1,data=ordered 0 0

    /dev/block/preinstall /preinstall ext3 rw,nosuid,nodev,noatime,nodiratime,barrier=1,data=ordered 0 0

    /dev/block/vold/179:1 /mnt/sdcard-ext vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0

    /mnt/sdcard-ext /mnt/sdcard-ext ecryptfs rw,dirsync,nosuid,nodev,noexec,relatime,ecryptfs_sig=965d636a1919f059,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough,no_new_encrypted 0 0

    /dev/block/vold/179:57 /mnt/sdcard vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0

    /dev/block/vold/179:57 /mnt/secure/asec vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0

    tmpfs /mnt/sdcard/.android_secure tmpfs ro,relatime,size=0k,mode=000 0 0

    /mnt/sdcard /mnt/sdcard ecryptfs rw,dirsync,nosuid,nodev,noexec,relatime,ecryptfs_sig=965d636a1919f059,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough,no_new_encrypted 0 0

    /dev/block/dm-0 /mnt/asec/com.dgo.VitalPlayer-2 vfat ro,dirsync,nosuid,nodev,relatime,uid=1000,fmask=0222,dmask=0222,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
    3
    one of the ones i thought might work was www.exploit-db.com/exploits/8673
    we'd need to precompile the .c file that it creates & then executes in the line beginning with "echo\" (just after the includes), and convert the shell code. it may have been patched in our kernel, but we wont know unless we try it, right?

    i thought there was another one, but i cant seem to find it any more

    Don't bother - this vulnerability has been patched, I verified this in the available kernel source.

    Hi, I'm the original author of the full-nelson kernel exploit linked earlier (the one that leverages Econet). To be clear, that exploit will not work on this phone because it requires causing an OOPS to trigger an exploitable condition, and this kernel has panic_on_oops enabled, meaning the kernel will not continue running in such a scenario.

    Rooting this device is going to take more work than just browsing exploit-db and hoping to find an exploit that works. There are no public exploits, kernel or userland, that will work on the kernel shipped with this phone.

    I'm willing to invest some time into auditing the Android application stack and kernel to find a suitable vulnerability that can root the device (I do this professionally). I don't have access to a physical device, so in the event that I find a usable vulnerability, I may need a hand in actually testing exploit code. I also won't refuse a donated test device. ;-)
    2
    I CAN ALMOST GUARANTEE ROOT IF ANYONE CAN SOLVE THIS PROBLEM:

    File 'fileX' needs to contain 2 cmds (ex - cmd1...;cmd2... aka - cp file /dir; cp file2 /dir) such that you can do the following in terminal and both commands run:

    EDIT: when i say contains.. it shoudl be a simple txt file that all it has in it is the 2 'cp' cmds

    Code:
    testing=`cat fileX`
    $testing

    if you can answer this.. then i should be able to provide root.

    Thank you.